iptables "tricks"

Richard Wilson relw at mchsi.com
Wed May 11 09:23:17 MST 2011 

All,

I ran into this some time ago and thought I should share it -- on a 
server running iptables that's got a heavy network load, these can make 
a big difference.

Netfilter (iptables is the main interface command) is a stateful 
firewall so it tracks connections.  This means that it allocates a 
certain amount of real RAM when the system boots to hold the Connection 
Tracking Table.  Resizing this table requires a reboot.  Something you 
NEVER want to see is console messages that say:

ip_conntrack: table full, dropping packet

When I ran into these, I had to do some digging, and found out how to 
resize the conntrack table, as well as how to decrease the time out 
value for connections (default for Red Hat is 5 days!).  Changing the 
time out value doesn't require a reboot; changing the table size to an 
appropriate value for your workload does.

Under Red Hat/Fedora/Centos, in /etc/sysctl.conf (takes effect at boot 
time):

# Set Conntrack time out to 12 hours
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 43200
# Set the size of the conntrack table (old and new versions):
net.ipv4.ip_conntrack_max = XXXXXXX
net.ipv4.netfilter.ip_conntrack_max = XXXXXXX

Dynamically change the time out value on the running system (note spaces 
around the = in the sysctl file, but not here!):

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=43200

These helped, but what really made the biggest difference was this:
I found that the conntrack table had a LOT of entries for traffic from 
127.0.0.1 (!!)  Yes, netfilter will track ALL network traffic.  If your 
kernel is 2.6.9 or above, this command should work to tell netfilter to 
not track localhost traffic:

iptables -t raw -A OUTPUT -o lo -j NOTRACK

After doing this on several mail relay servers we saw the number of 
entries in the conntrack table drop to about half what they had been.  
Of course, they don't drop right away -- existing table entries have to 
time out.

Hopefully this may save some of you some headaches.

Richard Wilson

More information about the PLUG-discuss mailing list