LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   What is the capacity of iptables etc? (https://www.linuxquestions.org/questions/linux-security-4/what-is-the-capacity-of-iptables-etc-872901/)

eastwind 04-04-2011 11:28 AM
What is the capacity of iptables etc?
 
I am running a CentOS with iptables v1.3.5. I came across a problem: occasionally this CentOS disappeared from network(cannot ping or ssh from outside), but through its console I can ping anywhere. Looks like something wrong with iptables.

I have around 10000 connections through iptables. What is the maximum connection iptables can handle? Where can I find performance parameter of iptables?

Thanks!

salasi 04-04-2011 12:53 PM
Quote:
Originally Posted by eastwind (Post 4313540)
I came across a problem: occasionally this CentOS disappeared from network(cannot ping or ssh from outside), but through its console I can ping anywhere. Looks like something wrong with iptables.
  • Well, there will be a limit, and if you reach the limit, you'll be at the limit. That's not a bug.
  • The limit will be dependant on the performance of your hardware. If you don't find someone who has done the testing on the same hardware, you'll only find out what it would do on some hardware that you don't have.
  • Even more significantly, the performance will be very heavily dependant on exactly which rules you have and which modules you use. So, again, unless you find someone who has done testing on exactly the ruleset that you have, you'll only know the performance of a ruleset that you don't have (clue: short, stubby chains, second clue; some modules are really rather intensive in their use of resources, so be careful).
  • If your use of your ruleset and number of connections causes you to run out of memory, the performance will disappear very suddenly.
  • My suspicion is that the only person who will do benchmarking in your exact situation is you, or maybe someone you pay to do it; I suppose I could be wrong, though.

eastwind 04-08-2011 08:55 AM
Quote:
Originally Posted by salasi (Post 4313630)
  • Well, there will be a limit, and if you reach the limit, you'll be at the limit. That's not a bug.
  • The limit will be dependant on the performance of your hardware. If you don't find someone who has done the testing on the same hardware, you'll only find out what it would do on some hardware that you don't have.
  • Even more significantly, the performance will be very heavily dependant on exactly which rules you have and which modules you use. So, again, unless you find someone who has done testing on exactly the ruleset that you have, you'll only know the performance of a ruleset that you don't have (clue: short, stubby chains, second clue; some modules are really rather intensive in their use of resources, so be careful).
  • If your use of your ruleset and number of connections causes you to run out of memory, the performance will disappear very suddenly.
  • My suspicion is that the only person who will do benchmarking in your exact situation is you, or maybe someone you pay to do it; I suppose I could be wrong, though.
You are right. The hardware firewall has fixed cpu and memory, its benchmark will be easy to measure. I should look deeper on iptables.

salasi 04-08-2011 10:57 AM
I really don't want to put you off in your quest, just to point out the difficulties...


I suppose that even if someone does some benchmarking on different hardware, you may be able to say 'well, that hardware is roughly twice as fast as mine, so I can divide their numbers by two' or something, but...

Unless you know whether it is cpu limited or memory limited (and the perf does suddenly crash as you run out of ram and start swapping, so while it may be unknown, in general, whether this has started happening in their tests, it may be the most important factor) guessing the scaling factor will probably be flawed.

And given that you can write iptables rulesets that are dramatically less efficient in memory usage than others (particularly if you rush at iptables modules like a man who hasn't eaten for two weeks at an all-you-can-eat buffet...or maybe you have gone for logging everything), the closest that I can get is that the unknown unknown-nesss is not as clear to me as it might be.

Another particular; if a lot of connections are from something like slow_loris, which deliberately sets out to burn up resources without making massive numbers of connections, you will be in a worse situation than if you just have lots of 'ordinary' connections, whether or not those ordinary connections are malevolent. On the other hand, if you have a box upstream that re-assembles connections, your situation may be much easier and you may not have to worry about that.


All times are GMT -5. The time now is 07:04 AM.