Setting Kernel Parameters

Parameteters of the kernel can be changed (by root) by editing the writable files under /proc/sys.  (Not all files are writable, some just report information from the kernel.)  A typical action looks like this:

# cd /proc/sys/net/ipv4
# cat ip_forward
0
# echo 1 > ip_forward
#

The above commands show that the kernal was not acting as a router, but now it is.

On some Unixes you put these sort of echo commands in some bootup script such as rc.local.  However Linux has a neat way to manage these, from the file /etc/sysctl.conf.  You can edit this file to change settings at boot time.  You can also run the "sysctl" command to make changes or to examine the settings.

In this file you can have blank lines, comments (lines starting with "#" are comments), and lines of the form:

parameter = value

Where parameter is the absolute pathname of the file to change, minus a leading /proc/sys/, and with slashes ("/") changed to periods (".").  For example the change shown above to enable routing (packet forwarding) would like like this in the sysctl.conf file:

# Turn on IP packet forwarding:
net.ipv4.ip_forward = 1

Some of the security parameters of the Linux 2.6 kernel are shown below, in a sample sysctl.conf snippit I copied from YborStudent:

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disables replies to broadcast ICMP echo (ping), to
# prevent a common DoS attack:
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable all source routing and ICMP redirects:
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0

# Enable (basic) source IP address verification:
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1