Askar wrote:
> thanks jose alot, okay i will upgrade ram to 128 * 2 = 256MB thanks,
> however where should I look for optimization the iptables rules?
> any link will be greatly appreciated
This is more of a manual activity. Things to speed up the ruleset would
be:
Putting the ESTABLISHED,RELATED rule above all others in its respective
chain. This avoids the lookups for all the match rules.
If you have a match rule with a 100000 hits during an interval, put it
before a match rule with 100 hits. This way, the inefficiency of
processing the more obscure rule is minimized.
This isn't so much of a big deal unless you have either insane amounts
of traffic, or many very very small sessions. Hosting 'normal' users, I
have 99.97% of my traffic hitting the ESTABLISHED,RELATED filtering
rule, so the efficiency of the other rules in my stack is
unconsequential.
# All Traffic
AAA="`iptables -t filter -nvxL FORWARD | egrep -v 'FORWARD|pkts' | awk
'{print $2}' | sed s/"$"/"+"/`"; echo ${AAA}0| bc
# Only ESTABLISHED,RELATED traffic
AAA="`iptables -t filter -nvxL FORWARD | grep 'RELATED,ESTABLISHED' |
awk '{print $2}' | sed s/"$"/"+"/`"; echo ${AAA}0| bc
% of traffic in ESTABLISHED,RELATED is just the second number divided by
the first. The larger the percentage, the less any subsequent rule
arrangement will matter.
