RE: iptables performance problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi

Here is an example of one way to use limit:


iptables -A INPUT|FORWARD -m limit --limit 3/minute --limit-burst 3 -j
LOG \
          --log-level INFO --log-prefix "Put Your Label Here: "

HTH

S

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx
[mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Jimmy Stewpot
Sent: Wednesday, December 19, 2007 10:54 AM
To: netfilter@xxxxxxxxxxxxxxx
Subject: iptables performance problems

Hello,

I am currently using iptables on Linux kernel version 2.6.15 (Ubuntu 
Dapper). I have recently been having problems with my servers load going

through the roof as remote hosts do nmap scans against the server. My 
current iptables configuration is as follows

# Generated by iptables-save v1.3.3 on Thu Dec 13 09:03:30 2007
*filter
:INPUT DROP [276260:84041130]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10126068:4010046750]
-A INPUT
-A INPUT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j

ACCEPT
-A INPUT -d FIRST_PUB_ADDR -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK

SYN -m multiport --dports 21,25,80,110,143,443,993,995 -j ACCEPT
-A INPUT -d SECOND_PUB_ADDR -i eth0 -p tcp -m tcp --tcp-flags 
SYN,RST,ACK SYN -m multiport --dports 80,443 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 161 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-level 1
-A INPUT -m limit --limit 10/min -j LOG --log-prefix "Dropped: " 
--log-level 1
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.0.0.0 -o eth1 -j ACCEPT
COMMIT

It seems from my performance diagnostics its the logging which is 
causing the system to buckle rather than the packet rate or anything 
like that. Since I first noticed the system being hammered I put the -m 
limit --limit 10/min on the LOG rule but it appears to either not work 
or I have put it in the wrong place. Can anyone give me some advice 
regarding performance and logging.

Regards,

Jimmy
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




Op dit e-mailbericht is een disclaimer van toepassing, welke te vinden is op http://www.xb.nl/disclaimer.html



-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux