Linux Increase TCP Port Range with net.ipv4.ip_local_port_range Kernel Parameter



If your Linux server is opening lots of outgoing network connections, you need to increase local port range. By default range is small. For example a squid proxy server can come under fire if it runs out of ports. Other example includes heavy traffic network servers, like nginx load balancers, LXD vm and more.



You can use the sysctl command to to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/. Please note that this hack is only useful for high bandwidth, busy Linux servers or large scale grid servers.

ADVERTISEMENTS



How to find current port range type

Type the following cat command:

$ cat /proc/sys/net/ipv4/ip_local_port_range

OR use the sysctl command:

$ sysctl net.ipv4.ip_local_port_range

Sample outputs:

net.ipv4.ip_local_port_range = 32768 61000

Set new local port range

You can set the range with any one of the following command. You must be root user:

# echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range

OR

$ sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"

The above defines the local port range that is used by TCP and UDP choose the local port. The first number is the first, the second the last local port number. If possible, it is better these numbers have different parity i.e. one even and one odd values. The default values are 32768 and 60999 respectively or whatever set by your distro or sysadmin. In this example, 1024 is not odd number and 65535 is odd number. Otherwise you will get an warning that read as follows:

ip_local_port_range: prefer different parity for start/end values.

Linux increase ip_local_port_range TCP port range using sysctl.conf

Finally, edit /etc/sysctl.conf file, to make changes to /proc filesystem permanently i.e. append the following line to your /etc/sysctl.conf file:

# increase system IP port limits

net.ipv4.ip_local_port_range = 1024 65535

How do I see all tcp/udp/ip session info

Use the ss command/netstat command $ netstat -s | more

$ netstat -st #tcp

$ netstat -su #udp

$ netstat -sw #raw

$ netstat -nap

$ netstat -naptu | more

Sample outputs:

Active Internet connections ( servers and established ) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 172.16.3.1: 11211 172.16.3.4: 49806 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.4: 49796 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.3: 57004 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 10.105.28.42: 50818 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40514 TIME_WAIT - tcp 0 0 172.16.3.1: 3306 10.105.28.44: 37984 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.3: 57008 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40508 TIME_WAIT - tcp 0 0 172.16.3.1: 3306 10.105.28.44: 38080 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40500 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.4: 49774 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40462 TIME_WAIT - tcp 0 0 172.16.3.1: 3306 172.16.3.2: 40806 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40518 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40472 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40442 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40414 TIME_WAIT - tcp 0 0 172.16.3.1: 3306 10.105.28.44: 38066 TIME_WAIT - tcp 0 0 172.16.3.1: 11211 172.16.3.2: 40432 TIME_WAIT - ... .. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 172.16.3.1:11211 172.16.3.4:49806 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.4:49796 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.3:57004 TIME_WAIT - tcp 0 0 172.16.3.1:11211 10.105.28.42:50818 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40514 TIME_WAIT - tcp 0 0 172.16.3.1:3306 10.105.28.44:37984 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.3:57008 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40508 TIME_WAIT - tcp 0 0 172.16.3.1:3306 10.105.28.44:38080 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40500 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.4:49774 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40462 TIME_WAIT - tcp 0 0 172.16.3.1:3306 172.16.3.2:40806 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40518 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40472 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40442 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40414 TIME_WAIT - tcp 0 0 172.16.3.1:3306 10.105.28.44:38066 TIME_WAIT - tcp 0 0 172.16.3.1:11211 172.16.3.2:40432 TIME_WAIT - ... ..

Or use the ss command:

$ ss -s

Sample outputs:

Total: 923 ( kernel 39850 ) TCP: 439 ( estab 6 , closed 423 , orphaned 0 , synrecv 0 , timewait 370 / 0 ) , ports 0 Transport Total IP IPv6 * 39850 - - RAW 0 0 0 UDP 7 6 1 TCP 16 15 1 INET 23 21 2 FRAG 0 0 0 Total: 923 (kernel 39850) TCP: 439 (estab 6, closed 423, orphaned 0, synrecv 0, timewait 370/0), ports 0 Transport Total IP IPv6 * 39850 - - RAW 0 0 0 UDP 7 6 1 TCP 16 15 1 INET 23 21 2 FRAG 0 0 0

For more info read the following man pages:

$ man sysctl

$ man 5 sysctl.conf

$ man ss

$ man netstat