1
datocp 228 天前 via Android
可以修改/etc/sysctl.d ,参考一下 timeout 设定,这些控制连接何时消亡,太大连接一直在,太小影响网络稳定,要设得刚刚好
# cat /proc/net/nf_conntrack|wc -l 920 /etc/sysctl.d# cat *.conf # Do not edit, changes to this file will be lost on upgrades # /etc/sysctl.conf can be used to customize sysctl settings kernel.panic=3 kernel.core_pattern=/tmp/%e.%t.%p.%s.core fs.suid_dumpable=2 fs.protected_hardlinks=1 fs.protected_symlinks=1 net.core.bpf_jit_enable=1 net.ipv4.conf.default.arp_ignore=1 net.ipv4.conf.all.arp_ignore=1 net.ipv4.ip_forward=1 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.igmp_max_memberships=100 net.ipv4.tcp_fin_timeout=30 net.ipv4.tcp_keepalive_time=120 net.ipv4.tcp_syncookies=1 net.ipv4.tcp_timestamps=1 net.ipv4.tcp_sack=1 net.ipv4.tcp_dsack=1 net.ipv6.conf.default.forwarding=0 net.ipv6.conf.all.forwarding=0 # Do not edit, changes to this file will be lost on upgrades # /etc/sysctl.conf can be used to customize sysctl settings net.netfilter.nf_conntrack_acct=1 net.netfilter.nf_conntrack_checksum=0 net.netfilter.nf_conntrack_max=16384 net.netfilter.nf_conntrack_tcp_timeout_established=600 net.netfilter.nf_conntrack_udp_timeout=65 net.netfilter.nf_conntrack_udp_timeout_stream=120 #dato add sysctl -w sysctl -p #sysctl net.core.somaxconn #sysctl -w net.core.somaxconn=2048 net.ipv4.tcp_max_syn_backlog=2048 #1/2/4/8/16s 2=1+2+4 #net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_synack_retries=2 net.core.somaxconn=2048 #/proc/sys/net/netfilter/nf_conntrack_* net.netfilter.nf_conntrack_generic_timeout=600 net.netfilter.nf_conntrack_tcp_timeout_syn_sent=120 net.netfilter.nf_conntrack_tcp_timeout_syn_recv=60 net.netfilter.nf_conntrack_tcp_timeout_fin_wait=120 net.netfilter.nf_conntrack_tcp_timeout_time_wait=120 net.netfilter.nf_conntrack_tcp_timeout_close=10 net.netfilter.nf_conntrack_tcp_timeout_close_wait=60 net.netfilter.nf_conntrack_tcp_timeout_last_ack=30 # net.ipv6.conf.all.disable_ipv6=1 net.ipv6.conf.default.disable_ipv6=1 net.ipv6.conf.lo.disable_ipv6=1 |
2
opengps 228 天前
如果是短链接的话,那可能取决于判断标准,比如我认为 5 分钟内的连接计入活跃连接,你认为 1 分钟的才叫活跃连接,这种情况没法严格对得上
|
3
paranoiagu 228 天前 via Android
会不会是 udp ?
|
4
flynaj 228 天前 via Android
netstat -ntu 查看本机连接,一般比较少。conntrack 命令查看 nat 连接。
conntrack -L conntrack | awk '{print $5}' | cut -d "=" -f 2 | sort | uniq -c | sort -nr | head -n 10 排序看是哪个 IP 连接数多 |