Linux increase ip_local_port_range TCP port range

Mattias Geniar, Monday, November 2, 2015

For heavy traffic network servers, like proxy servers or load balancers, you may need to increase the networking port range.

On Linux, there is a sysctl parameter called ip_local_port_range that defines the minimum and maximum port a networking connection can use as its source (local) port. This applies to both TCP and UDP connections.

To find out the current IP range, use the following commands:

$ cat /proc/sys/net/ipv4/ip_local_port_range
32768	61000

or:

$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768	61000

The value is shown as "minimum maximum" value, so the local port for new connections will be between 32.768 and 61.000, by default that's a 28.232 range of ports. Sounds plenty, but heavy traffic servers can easily reach this limit.

For heavy traffic servers, you can increase the total port range like this.

$ sysctl -w net.ipv4.ip_local_port_range="15000 64000"
net.ipv4.ip_local_port_range = 15000 64000

Or, by using echo to pass a value directly into /proc.

$ echo 15000 64000 > /proc/sys/net/ipv4/ip_local_port_range

To make the changes persistent on boot, save your config in either /etc/sysctl.conf or in a custom file that gets included in your main configs.

$ cat /etc/sysctl.d/net.ipv4.ip_local_port_range.conf
net.ipv4.ip_local_port_range = 15000 65000

To find out how many sessions your server is currently handling, use the following commands:

$ ss -s
Total: 2933 (kernel 3131)
TCP:   43915 (estab 2655, closed 41080, orphaned 159, synrecv 0, timewait 41080/0), ports 30347

Transport Total     IP        IPv6
*	  3131      -         -
RAW	  0         0         0
UDP	  17        11        6
TCP	  2835      2832      3
INET	  2852      2843      9
FRAG	  0         0         0

$ netstat -anp | more
...
tcp        0      0 10.50.1.6:41205        10.50.1.10:80           TIME_WAIT   -
tcp        0      0 10.50.1.6:42515        10.50.1.10:80           TIME_WAIT   -
tcp        0      0 10.50.1.6:59845        10.50.1.10:80           TIME_WAIT   -

Please be careful with increasing the TCP port range though, there are limits!



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Wellington Torrejais da Silva Thursday, December 31, 2015 at 13:50 - Reply

Thanks!


Leave a Reply

Your email address will not be published. Required fields are marked *