LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-04-2011, 11:28 AM   #1
eastwind
LQ Newbie
 
Registered: Jun 2008
Posts: 10

Rep: Reputation: 0
What is the capacity of iptables etc?


I am running a CentOS with iptables v1.3.5. I came across a problem: occasionally this CentOS disappeared from network(cannot ping or ssh from outside), but through its console I can ping anywhere. Looks like something wrong with iptables.

I have around 10000 connections through iptables. What is the maximum connection iptables can handle? Where can I find performance parameter of iptables?

Thanks!
 
Old 04-04-2011, 12:53 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
Quote:
Originally Posted by eastwind View Post
I came across a problem: occasionally this CentOS disappeared from network(cannot ping or ssh from outside), but through its console I can ping anywhere. Looks like something wrong with iptables.
  • Well, there will be a limit, and if you reach the limit, you'll be at the limit. That's not a bug.
  • The limit will be dependant on the performance of your hardware. If you don't find someone who has done the testing on the same hardware, you'll only find out what it would do on some hardware that you don't have.
  • Even more significantly, the performance will be very heavily dependant on exactly which rules you have and which modules you use. So, again, unless you find someone who has done testing on exactly the ruleset that you have, you'll only know the performance of a ruleset that you don't have (clue: short, stubby chains, second clue; some modules are really rather intensive in their use of resources, so be careful).
  • If your use of your ruleset and number of connections causes you to run out of memory, the performance will disappear very suddenly.
  • My suspicion is that the only person who will do benchmarking in your exact situation is you, or maybe someone you pay to do it; I suppose I could be wrong, though.
 
1 members found this post helpful.
Old 04-08-2011, 08:55 AM   #3
eastwind
LQ Newbie
 
Registered: Jun 2008
Posts: 10

Original Poster
Rep: Reputation: 0
Thumbs up

Quote:
Originally Posted by salasi View Post
  • Well, there will be a limit, and if you reach the limit, you'll be at the limit. That's not a bug.
  • The limit will be dependant on the performance of your hardware. If you don't find someone who has done the testing on the same hardware, you'll only find out what it would do on some hardware that you don't have.
  • Even more significantly, the performance will be very heavily dependant on exactly which rules you have and which modules you use. So, again, unless you find someone who has done testing on exactly the ruleset that you have, you'll only know the performance of a ruleset that you don't have (clue: short, stubby chains, second clue; some modules are really rather intensive in their use of resources, so be careful).
  • If your use of your ruleset and number of connections causes you to run out of memory, the performance will disappear very suddenly.
  • My suspicion is that the only person who will do benchmarking in your exact situation is you, or maybe someone you pay to do it; I suppose I could be wrong, though.
You are right. The hardware firewall has fixed cpu and memory, its benchmark will be easy to measure. I should look deeper on iptables.
 
Old 04-08-2011, 10:57 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070

Rep: Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897Reputation: 897
I really don't want to put you off in your quest, just to point out the difficulties...


I suppose that even if someone does some benchmarking on different hardware, you may be able to say 'well, that hardware is roughly twice as fast as mine, so I can divide their numbers by two' or something, but...

Unless you know whether it is cpu limited or memory limited (and the perf does suddenly crash as you run out of ram and start swapping, so while it may be unknown, in general, whether this has started happening in their tests, it may be the most important factor) guessing the scaling factor will probably be flawed.

And given that you can write iptables rulesets that are dramatically less efficient in memory usage than others (particularly if you rush at iptables modules like a man who hasn't eaten for two weeks at an all-you-can-eat buffet...or maybe you have gone for logging everything), the closest that I can get is that the unknown unknown-nesss is not as clear to me as it might be.

Another particular; if a lot of connections are from something like slow_loris, which deliberately sets out to burn up resources without making massive numbers of connections, you will be in a worse situation than if you just have lots of 'ordinary' connections, whether or not those ordinary connections are malevolent. On the other hand, if you have a box upstream that re-assembles connections, your situation may be much easier and you may not have to worry about that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Capacity of Harddisk anhtu234 Linux - Newbie 2 03-17-2009 06:47 AM
RAID5 capacity jovie Linux - Hardware 2 06-14-2006 07:08 AM
Determine HD Capacity... BFEINZIMER Linux - Hardware 2 09-29-2005 10:46 PM
Harddisk capacity ilengna Linux - Hardware 4 10-14-2003 08:37 PM
CD/RW capacity limits slackerboy Linux - General 14 01-20-2003 01:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration