LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-12-2013, 08:50 AM   #1
scrupul0us
Member
 
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159

Rep: Reputation: 30
Question Maximum interfaces or rules for iptables


We are test bedding some dual octacore, 64GB servers for webhosting cPanel.

Due to how much SSD disk/memory and CPU we have on these servers we really want to go for density.

Things seem pretty stable at 2048 IPs on the server however as we approach adding 4096 IP's the server (gets us to a nice 80% resource utilization) we start having network issues where we lose all network connectivity to the server until we "service iptables restart"

We are also running CSF on the boxes.

Is there some limit in Centos by default that limits how many interfaces or rules can be used and if so, can that limit be raised by adjusting sysctl parameters?

I know your first thought will be "this seems ludicrous, why would you do it" but at this point I'm rather intrigued why a box of this configuration with x64 Centos would be crapping out?

Thank you =)

Last edited by scrupul0us; 04-12-2013 at 08:51 AM.
 
Old 04-14-2013, 06:18 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by scrupul0us View Post
We are test bedding some dual octacore, 64GB servers for webhosting cPanel.
Ah, the web-based management panel provider that allowed hundreds of servers running cPanel to get compromised...


Quote:
Originally Posted by scrupul0us View Post
as we approach adding 4096 IP's the server (gets us to a nice 80% resource utilization)
How are you adding them?


Quote:
Originally Posted by scrupul0us View Post
we start having network issues
What are the symptoms?
Have you tried modprobing all related modules with debugging enabled?
And if you're really interested in analyzing this properly: have you tried a debug kernel?
 
Old 04-15-2013, 06:18 AM   #3
scrupul0us
Member
 
Registered: Jan 2006
Location: Albany, NY
Distribution: CentOS 6.3
Posts: 159

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
Ah, the web-based management panel provider that allowed hundreds of servers running cPanel to get compromised...
If you're not a careless sysadmin, cPanel is not a problem... It's the "kiddie hosts" with a dollar and a dream that make up the bulk of the issues

I have not gone so far as to use a debug kernel yet... IP's are added using cPanel's interface which ties them into its "ipaliases" daemon (read: range files/etc don't work with cPanel)

My presumption is, I'm hitting a resource/system limit (think Openvz... my servers are NOT running Openvz - just to clarify) and as a result the firewall just stops passing all traffic through it

I will be the first to admit, on the debug side of Linux, my chops are pretty weak... It's only out of curiosity and failed repetitive online lurking that I've opened this thread

By all means, this is not a "fix my problem" thread, rather, help me understand.

Thank you
 
Old 04-20-2013, 04:37 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by scrupul0us View Post
If you're not a careless sysadmin, cPanel is not a problem... It's the "kiddie hosts" with a dollar and a dream that make up the bulk of the issues
Completely off-topic but I was referring to their recent security incident: http://forum.whmcs.com/showthread.ph...mised&p=296646.


Quote:
Originally Posted by scrupul0us View Post
I have not gone so far as to use a debug kernel yet... (..) My presumption is, I'm hitting a resource/system limit (..) By all means, this is not a "fix my problem" thread, rather, help me understand.
It's the same way you (should) look at log files first when trying to troubleshoot user land service problems. If 'dmesg' output doesn't show any clues or leads, and if the kernel or kernel modules don't provide switches to increase verbosity (run 'modinfo' on for example your network device related LKMs should show) then running a debug kernel (obviously not on a production machine) would be the first thing to do IMHO.
 
  


Reply

Tags
csf, firewall, interfaces, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] during system startup, iptables rules not loaded from /etc/sysconfig/iptables danyim Linux - Security 3 04-13-2013 02:09 AM
What is the maximum number of iptables rules on 32Bit 2.6 kernel? mr51m0n Linux - Networking 14 11-15-2011 12:31 AM
Restore iptables Rules that have been saved with iptables-save tiuz Linux - Security 4 08-14-2010 05:50 PM
IPtables maximum recored added emymcse Linux - Networking 1 09-12-2008 09:59 AM
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM


All times are GMT -5. The time now is 05:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration