iptables "tricks"

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
Eric Shubert at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Richard Wilson
Date:  
To: Main PLUG discussion list
Subject: iptables "tricks"
All,

I ran into this some time ago and thought I should share it -- on a
server running iptables that's got a heavy network load, these can make
a big difference.

Netfilter (iptables is the main interface command) is a stateful
firewall so it tracks connections. This means that it allocates a
certain amount of real RAM when the system boots to hold the Connection
Tracking Table. Resizing this table requires a reboot. Something you
NEVER want to see is console messages that say:

ip_conntrack: table full, dropping packet

When I ran into these, I had to do some digging, and found out how to
resize the conntrack table, as well as how to decrease the time out
value for connections (default for Red Hat is 5 days!). Changing the
time out value doesn't require a reboot; changing the table size to an
appropriate value for your workload does.

Under Red Hat/Fedora/Centos, in /etc/sysctl.conf (takes effect at boot
time):

# Set Conntrack time out to 12 hours
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 43200
# Set the size of the conntrack table (old and new versions):
net.ipv4.ip_conntrack_max = XXXXXXX
net.ipv4.netfilter.ip_conntrack_max = XXXXXXX

Dynamically change the time out value on the running system (note spaces
around the = in the sysctl file, but not here!):

sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=43200

These helped, but what really made the biggest difference was this:
I found that the conntrack table had a LOT of entries for traffic from
127.0.0.1 (!!) Yes, netfilter will track ALL network traffic. If your
kernel is 2.6.9 or above, this command should work to tell netfilter to
not track localhost traffic:

iptables -t raw -A OUTPUT -o lo -j NOTRACK

After doing this on several mail relay servers we saw the number of
entries in the conntrack table drop to about half what they had been.
Of course, they don't drop right away -- existing table entries have to
time out.

Hopefully this may save some of you some headaches.

Richard Wilson
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Looking For Simple Accounting/Inventory Management System - Was OpenERPRe: ON Topic Request For Opinions->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)