Script 01 · Kernel & Network
1. Sysctl Configuration (Kernel & Network Tuning)
Applies Linux kernel, TCP/IP, filesystem, memory, connection tracking, and NIC offload tuning for high concurrency VPS workloads.
Category: Kernel & Network
Risk: High
Lines: calculating
Language: Bash / Linux
What this script does
- Improve connection handling for game server, API, and database traffic.
- Enable BBR/FQ based network behavior where supported by the kernel.
- Persist sysctl and hardware offload settings through reboot.
Prerequisites
- Root access
- Ubuntu/Debian based VPS
- ethtool installed or installable
- Console recovery access recommended
Execution flow
- Backs up /etc/sysctl.conf
- Writes selected profile
- Applies sysctl
- Detects primary NIC
- Creates a systemd offload service
Validation checklist
- sysctl -p
- sysctl net.ipv4.tcp_congestion_control
- ethtool -k <interface>
- systemctl status disable-offload.service
Operational cautions
- Incorrect network tuning can degrade latency or throughput.
- Disabling IPv6 may break IPv6-only services.
- IP forwarding and conntrack changes affect firewall/NAT behavior.
Original script notes
ℹ️ Script Info: Optimizes Linux kernel and network settings for high concurrency, gaming, and database performance. It automatically backs up and modifies /etc/sysctl.conf based on your preferred profile and tunes Hardware Offloading via ethtool.
cat << 'EOF' > update_sysctl.sh && chmod +x update_sysctl.sh && ./update_sysctl.sh
#!/bin/bash
echo "=== STARTING SYSCTL CONFIGURATION ==="
echo "Select sysctl configuration profile:"
echo "1) Default Config (Original config, balanced for general use)"
echo "2) Advanced Config (Aggressive limits, BBR+FQ, Database & Game Server tuned)"
read -p "Your Choice (1/2): " SYSCTL_CHOICE
# 1. Backup old configuration
BACKUP_FILE="/etc/sysctl.conf.bak_$(date +%Y%m%d_%H%M%S)"
if [ -f /etc/sysctl.conf ]; then
cp /etc/sysctl.conf "$BACKUP_FILE"
echo "[OK] Backup created at: $BACKUP_FILE"
else
echo "[INFO] sysctl.conf not found, creating a new one."
fi
# 2. Write New Configuration
if [ "$SYSCTL_CHOICE" == "2" ]; then
cat << 'CONFIG_END' > /etc/sysctl.conf
# =============================================================================
# 1. KERNEL & SYSTEM SECURITY
# Restricts access to kernel pointers, disables core dumps for security,
# and increases maximum PIDs to prevent resource exhaustion.
# =============================================================================
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.pid_max = 4194304
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
kernel.perf_event_paranoid = 3
fs.suid_dumpable = 0
# =============================================================================
# 2. FILESYSTEM & I/O LIMITS
# Moderate limits for game server & database. Ensures the system doesn't run
# out of file descriptors when handling multiple connections and DB queries.
# =============================================================================
fs.file-max = 2097152
fs.nr_open = 1048576
fs.aio-max-nr = 524288
fs.inotify.max_user_instances = 1024
fs.inotify.max_user_watches = 262144
# =============================================================================
# 3. MEMORY & SWAP MANAGEMENT
# Optimized for 4GB RAM + PostgreSQL. Heavily discourages swapping (swappiness=1)
# and optimizes background dirty page writebacks for consistent disk I/O.
# =============================================================================
vm.swappiness = 1
vm.vfs_cache_pressure = 75
vm.dirty_ratio = 10
vm.dirty_background_ratio = 5
vm.dirty_writeback_centisecs = 300
vm.dirty_expire_centisecs = 1800
vm.min_free_kbytes = 65536
vm.overcommit_memory = 0
vm.overcommit_ratio = 90
vm.zone_reclaim_mode = 0
# =============================================================================
# 4. NETWORK SECURITY & ROUTING
# Hardened settings to drop spoofed packets (rp_filter) and ignore ICMP redirects.
# Disables IPv6 globally. Set net.ipv4.ip_forward = 0 if this server are not
# router any connection.
# =============================================================================
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.log_martians = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# =============================================================================
# 5. TCP/IP STACK & LOW-LATENCY OPTIMIZATION
# Tuned for fast game response and web serving. Uses BBR + FQ for congestion
# control, disables busy polling (for 1 CPU), and limits unsent socket buffers.
# =============================================================================
# Congestion Control
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
# Polling (Set to 0 for Disabled to prevent 1 CPU starvation)
net.core.busy_poll = 50
# Socket Buffers
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.optmem_max = 32768
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
# Backlogs & Processing Limits
net.core.somaxconn = 8192
net.core.netdev_max_backlog = 5000
net.core.netdev_budget = 600
net.core.netdev_budget_usecs = 2000
# Receive Flow Steering (CPU Cache Optimization for 2+ Cores)
net.core.rps_sock_flow_entries = 32768
# TCP Connection Handling
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_tw_buckets = 262144
net.ipv4.tcp_max_orphans = 65536
# Syn Flood Protection & Fast Open
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_fastopen = 3
# Bufferbloat Mitigation (Crucial for Low Latency)
net.ipv4.tcp_notsent_lowat = 16384
net.ipv4.ip_local_port_range = 1024 65535
# =============================================================================
# 6. CONNECTION TRACKING (NAT/FIREWALL)
# Maximized table size to prevent connection drops, with aggressive timeouts
# to clear dead connections quickly and save RAM.
# Note: Hashsize must be set in /etc/modprobe.d/nf_conntrack.conf separately.
# Use this command on terminal "echo 'options nf_conntrack hashsize=262144' | sudo tee /etc/modprobe.d/nf_conntrack.conf"
# =============================================================================
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 7200
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 15
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
# =============================================================================
# 7. ARP & NEIGHBOR TABLE
# Optimized garbage collection limits for cloud/VPS environments to ensure
# stable routing to internal networks and gateways.
# =============================================================================
net.ipv4.neigh.default.gc_thresh1 = 256
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.gc_interval = 30
CONFIG_END
echo "[OK] Advanced configuration successfully written to /etc/sysctl.conf"
else
cat << 'CONFIG_END' > /etc/sysctl.conf
# -----------------------------------------------------------------
# KERNEL SYSTEM & SECURITY
# -----------------------------------------------------------------
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.pid_max = 65535
kernel.randomize_va_space = 2
kernel.msgmnb = 65535
kernel.msgmax = 65535
fs.suid_dumpable = 0
kernel.kptr_restrict = 1
# -----------------------------------------------------------------
# FILESYSTEM (High Concurrency)
# -----------------------------------------------------------------
fs.file-max = 4194304
fs.epoll.max_user_instances = 65536
fs.nr_open = 4194304
fs.aio-max-nr = 1048576
fs.inotify.max_queued_events = 65536
fs.inotify.max_user_instances = 512
fs.inotify.max_user_watches = 524288
# -----------------------------------------------------------------
# MEMORY (Database Optimized)
# -----------------------------------------------------------------
vm.swappiness = 5
vm.vfs_cache_pressure = 50
vm.dirty_ratio = 20
vm.dirty_background_ratio = 5
vm.dirty_writeback_centisecs = 500
vm.dirty_expire_centisecs = 3000
vm.mmap_min_addr = 4096
vm.min_free_kbytes = 67584
vm.overcommit_memory = 0
vm.overcommit_ratio = 50
# -----------------------------------------------------------------
# NETWORK SECURITY
# -----------------------------------------------------------------
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.eth0.rp_filter = 2
net.ipv4.conf.ens3.rp_filter = 2
net.ipv4.conf.wg0.rp_filter = 2
net.ipv4.conf.wg1.rp_filter = 2
net.ipv4.conf.wg2.rp_filter = 2
net.ipv4.conf.wg3.rp_filter = 2
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.accept_ra = 0
# -----------------------------------------------------------------
# TCP PERFORMANCE (Game & DB Optimized)
# -----------------------------------------------------------------
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
net.core.rmem_default = 1048576
net.core.wmem_default = 1048576
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.optmem_max = 65536
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.core.netdev_budget = 65536
net.core.netdev_budget_usecs = 65536
net.core.dev_weight = 8192
net.ipv4.tcp_rmem = 8192 1048576 16777216
net.ipv4.tcp_wmem = 8192 1048576 16777216
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 10
net.netfilter.nf_conntrack_tcp_timeout_established = 14400
net.netfilter.nf_conntrack_max = 2000000
net.netfilter.nf_conntrack_buckets = 500000
net.ipv4.tcp_max_tw_buckets = 8388608
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_orphan_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_adv_win_scale = 2
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_rfc1337 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_local_port_range = 1024 65535
# -----------------------------------------------------------------
# ARP NEIGHBOR TABLE
# -----------------------------------------------------------------
net.ipv4.neigh.default.gc_thresh1 = 128
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.proxy_qlen = 256
net.ipv4.neigh.default.unres_qlen = 101
net.ipv4.neigh.eth0.unres_qlen = 101
net.ipv4.neigh.ens3.unres_qlen = 101
net.ipv4.ipfrag_low_thresh = 262144
net.ipv4.ipfrag_time = 15
net.ipv4.inet_peer_threshold = 65536
CONFIG_END
echo "[OK] Default configuration successfully written to /etc/sysctl.conf"
fi
# 3. Apply Configuration
echo "Applying changes (ignore 'cannot stat' errors if interface missing)..."
sysctl -p
# 4. Hardware Offloading Tuning
echo -e "\n=== HARDWARE OFFLOADING (TSO, GRO, GSO) ==="
echo "Explanation:"
echo " - ON : NIC (Network Card) handles packet segmentation. Good for general throughput & low CPU usage."
echo " - OFF : CPU handles packet segmentation. Recommended for Game Servers / VPNs to minimize latency and packet loss."
echo ""
IFACE=$(ip route show default | sed -n "s/.* dev \([^ ]*\).*/\1/p" | head -n1)
if [ -z "$IFACE" ]; then
echo "[ERROR] Interface not found!"
exit 1
fi
echo -e "[INFO] Primary network interface detected: $IFACE"
read -p "Set Hardware Offloading (TSO, GRO, GSO) to [on / off]: " STATE
STATE=${STATE,,}
if [[ "$STATE" != "on" && "$STATE" != "off" ]]; then
echo "[ERROR] Invalid choice, execution aborted! Please type on or off."
exit 1
fi
echo "[PROCESS] Writing configuration to /etc/systemd/system/disable-offload.service..."
cat << OFFLOAD_EOF > /etc/systemd/system/disable-offload.service
[Unit]
Description=Hardware Offload Tuning for $IFACE
After=network-online.target
Wants=network-online.target
[Service]
Type=oneshot
ExecStart=/sbin/ethtool -K $IFACE tso $STATE gro $STATE gso $STATE
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
OFFLOAD_EOF
echo "[PROCESS] Reloading systemd daemon..."
systemctl daemon-reload
echo "[PROCESS] Enabling and starting the service..."
systemctl enable disable-offload.service
systemctl restart disable-offload.service
echo -e "\n[STATUS: SUCCESS] Offloading has been successfully set to ($STATE) permanently on $IFACE!"
echo "[INFO] Ethtool Verification Results:"
ethtool -k $IFACE | grep -E "tcp-segmentation-offload|generic-segmentation-offload|generic-receive-offload"
echo "============================================="
echo "DONE. Script saved at: ./update_sysctl.sh"
echo "Configuration is now permanent."
echo "============================================="
EOF