LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Maximum interfaces or rules for iptables (http://www.linuxquestions.org/questions/linux-networking-3/maximum-interfaces-or-rules-for-iptables-4175457913/)

scrupul0us 04-12-2013 08:50 AM

Maximum interfaces or rules for iptables
 
We are test bedding some dual octacore, 64GB servers for webhosting cPanel.

Due to how much SSD disk/memory and CPU we have on these servers we really want to go for density.

Things seem pretty stable at 2048 IPs on the server however as we approach adding 4096 IP's the server (gets us to a nice 80% resource utilization) we start having network issues where we lose all network connectivity to the server until we "service iptables restart"

We are also running CSF on the boxes.

Is there some limit in Centos by default that limits how many interfaces or rules can be used and if so, can that limit be raised by adjusting sysctl parameters?

I know your first thought will be "this seems ludicrous, why would you do it" but at this point I'm rather intrigued why a box of this configuration with x64 Centos would be crapping out?

Thank you =)

unSpawn 04-14-2013 06:18 PM

Quote:

Originally Posted by scrupul0us (Post 4930341)
We are test bedding some dual octacore, 64GB servers for webhosting cPanel.

Ah, the web-based management panel provider that allowed hundreds of servers running cPanel to get compromised...


Quote:

Originally Posted by scrupul0us (Post 4930341)
as we approach adding 4096 IP's the server (gets us to a nice 80% resource utilization)

How are you adding them?


Quote:

Originally Posted by scrupul0us (Post 4930341)
we start having network issues

What are the symptoms?
Have you tried modprobing all related modules with debugging enabled?
And if you're really interested in analyzing this properly: have you tried a debug kernel?

scrupul0us 04-15-2013 06:18 AM

Quote:

Originally Posted by unSpawn (Post 4931553)
Ah, the web-based management panel provider that allowed hundreds of servers running cPanel to get compromised...

If you're not a careless sysadmin, cPanel is not a problem... It's the "kiddie hosts" with a dollar and a dream that make up the bulk of the issues

I have not gone so far as to use a debug kernel yet... IP's are added using cPanel's interface which ties them into its "ipaliases" daemon (read: range files/etc don't work with cPanel)

My presumption is, I'm hitting a resource/system limit (think Openvz... my servers are NOT running Openvz - just to clarify) and as a result the firewall just stops passing all traffic through it

I will be the first to admit, on the debug side of Linux, my chops are pretty weak... It's only out of curiosity and failed repetitive online lurking that I've opened this thread

By all means, this is not a "fix my problem" thread, rather, help me understand.

Thank you

unSpawn 04-20-2013 04:37 AM

Quote:

Originally Posted by scrupul0us (Post 4931779)
If you're not a careless sysadmin, cPanel is not a problem... It's the "kiddie hosts" with a dollar and a dream that make up the bulk of the issues

Completely off-topic but I was referring to their recent security incident: http://forum.whmcs.com/showthread.ph...mised&p=296646.


Quote:

Originally Posted by scrupul0us (Post 4931779)
I have not gone so far as to use a debug kernel yet... (..) My presumption is, I'm hitting a resource/system limit (..) By all means, this is not a "fix my problem" thread, rather, help me understand.

It's the same way you (should) look at log files first when trying to troubleshoot user land service problems. If 'dmesg' output doesn't show any clues or leads, and if the kernel or kernel modules don't provide switches to increase verbosity (run 'modinfo' on for example your network device related LKMs should show) then running a debug kernel (obviously not on a production machine) would be the first thing to do IMHO.


All times are GMT -5. The time now is 10:08 AM.