From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jimmy Stewpot Subject: iptables performance problems Date: Wed, 19 Dec 2007 09:54:26 +0000 Message-ID: <4768EA52.7070602@oranged.to> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@vger.kernel.org Hello, I am currently using iptables on Linux kernel version 2.6.15 (Ubuntu Dapper). I have recently been having problems with my servers load going through the roof as remote hosts do nmap scans against the server. My current iptables configuration is as follows # Generated by iptables-save v1.3.3 on Thu Dec 13 09:03:30 2007 *filter :INPUT DROP [276260:84041130] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10126068:4010046750] -A INPUT -A INPUT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -d FIRST_PUB_ADDR -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m multiport --dports 21,25,80,110,143,443,993,995 -j ACCEPT -A INPUT -d SECOND_PUB_ADDR -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m multiport --dports 80,443 -j ACCEPT -A INPUT -i eth0 -p udp -m multiport --dports 161 -j ACCEPT -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j LOG --log-level 1 -A INPUT -m limit --limit 10/min -j LOG --log-prefix "Dropped: " --log-level 1 -A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d 10.0.0.0/255.0.0.0 -o eth1 -j ACCEPT COMMIT It seems from my performance diagnostics its the logging which is causing the system to buckle rather than the packet rate or anything like that. Since I first noticed the system being hammered I put the -m limit --limit 10/min on the LOG rule but it appears to either not work or I have put it in the wrong place. Can anyone give me some advice regarding performance and logging. Regards, Jimmy