Performance losings with iptables

Performance losings with iptables

[Michael Albrecht]

[-- Attachment #1: Type: text/plain, Size: 347 bytes --]

Hello,
i use iptables with Debian-Linux (2.4.20).
Wenn i install 150 Input-Chains like this:
iptables -A input -s 192.168.81.xxx
i will lose a lot of perfomance (for example: apache take a lot of time, ssh ...)
Wenn i show the perfomance with vmstat - vmstat says that 99 % is idel...
Wer is the Problem ???

Thanks for helping ... Michael

[-- Attachment #2: Type: text/html, Size: 1012 bytes --]

Performance losings with iptables

[Michael Albrecht]

[-- Attachment #1: Type: text/plain, Size: 349 bytes --]


Hello,
i use iptables with Debian-Linux (2.4.20).
Wenn i install 150 Input-Chains like this:
iptables -A input -s 192.168.81.xxx
i will lose a lot of perfomance (for example: apache take a lot of time, ssh ...)
Wenn i show the perfomance with vmstat - vmstat says that 99 % is idel...
Wer is the Problem ???

Thanks for helping ... Michael

[-- Attachment #2: Type: text/html, Size: 1031 bytes --]

RE: Performance losings with iptables

[Aldo Lagana]

[-- Attachment #1: Type: text/plain, Size: 862 bytes --]

not sure what version of iptables you have, but I have 707 rules in all the
various tables of filter and nat - none in the mangle table yet I have seen
zero (0) performance degradation on a P3 500 that also runs squid proxy, has
a DMZ with a web farm, and has about 100 ipsec tunnels 




  _____  

From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Michael Albrecht
Sent: Tuesday, May 13, 2003 11:57 AM
To: netfilter@lists.netfilter.org


 
Hello,
i use iptables with Debian-Linux (2.4.20).
Wenn i install 150 Input-Chains like this:
iptables -A input -s 192.168.81.xxx
i will lose a lot of perfomance (for example: apache take a lot of time, ssh
...)
Wenn i show the perfomance with vmstat - vmstat says that 99 % is idel...
Wer is the Problem ???
 
Thanks for helping ... Michael


[-- Attachment #2: Type: text/html, Size: 2239 bytes --]

Re: Performance losings with iptables

[Ralf Spenneberg]

Am Die, 2003-05-13 um 17.40 schrieb Michael Albrecht:
> Hello,
> i use iptables with Debian-Linux (2.4.20).
> Wenn i install 150 Input-Chains like this:
> iptables -A input -s 192.168.81.xxx
> i will lose a lot of perfomance (for example: apache take a lot of time, ssh ...)
> Wenn i show the perfomance with vmstat - vmstat says that 99 % is idel...
> Wer is the Problem ???
I doubt that iptables itself is responsible for the performance loss. I
rather suspect name resolution.
Can you post you rules or at least some timing information?

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                    
http://honeynet.spenneberg.org

Re: Performance losings with iptables

[Julian Gomez]

On Tue, May 20, 2003 at 09:50:01AM +0200, Ralf Spenneberg spoke thusly:
>Am Die, 2003-05-13 um 17.40 schrieb Michael Albrecht:
>> iptables -A input -s 192.168.81.xxx 
>> i will lose a lot of perfomance (for
>> example: apache take a lot of time, ssh ...) Wenn i show the perfomance
>> with vmstat - vmstat says that 99 % is

As Michael has already mentioned, I too doubt its an iptables fault. I've
had in excess of 1,300 rules running on a production firewall, for dynamic
dumping of Nimda infected hosts. Its almost certainly a name resolving
issue as Michael has already pointed to.