iptables performance problems

iptables performance problems

[Jimmy Stewpot]

Hello,

I am currently using iptables on Linux kernel version 2.6.15 (Ubuntu 
Dapper). I have recently been having problems with my servers load going 
through the roof as remote hosts do nmap scans against the server. My 
current iptables configuration is as follows

# Generated by iptables-save v1.3.3 on Thu Dec 13 09:03:30 2007
*filter
:INPUT DROP [276260:84041130]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10126068:4010046750]
-A INPUT
-A INPUT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j 
ACCEPT
-A INPUT -d FIRST_PUB_ADDR -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK 
SYN -m multiport --dports 21,25,80,110,143,443,993,995 -j ACCEPT
-A INPUT -d SECOND_PUB_ADDR -i eth0 -p tcp -m tcp --tcp-flags 
SYN,RST,ACK SYN -m multiport --dports 80,443 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 161 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-level 1
-A INPUT -m limit --limit 10/min -j LOG --log-prefix "Dropped: " 
--log-level 1
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.0.0.0 -o eth1 -j ACCEPT
COMMIT

It seems from my performance diagnostics its the logging which is 
causing the system to buckle rather than the packet rate or anything 
like that. Since I first noticed the system being hammered I put the -m 
limit --limit 10/min on the LOG rule but it appears to either not work 
or I have put it in the wrong place. Can anyone give me some advice 
regarding performance and logging.

Regards,

Jimmy

RE: iptables performance problems

[Shaun Mccullagh]

Hi

Here is an example of one way to use limit:


iptables -A INPUT|FORWARD -m limit --limit 3/minute --limit-burst 3 -j
LOG \
          --log-level INFO --log-prefix "Put Your Label Here: "

HTH

S

-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Jimmy Stewpot
Sent: Wednesday, December 19, 2007 10:54 AM
To: netfilter@vger.kernel.org
Subject: iptables performance problems

Hello,

I am currently using iptables on Linux kernel version 2.6.15 (Ubuntu 
Dapper). I have recently been having problems with my servers load going

through the roof as remote hosts do nmap scans against the server. My 
current iptables configuration is as follows

# Generated by iptables-save v1.3.3 on Thu Dec 13 09:03:30 2007
*filter
:INPUT DROP [276260:84041130]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10126068:4010046750]
-A INPUT
-A INPUT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j

ACCEPT
-A INPUT -d FIRST_PUB_ADDR -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK

SYN -m multiport --dports 21,25,80,110,143,443,993,995 -j ACCEPT
-A INPUT -d SECOND_PUB_ADDR -i eth0 -p tcp -m tcp --tcp-flags 
SYN,RST,ACK SYN -m multiport --dports 80,443 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 161 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j LOG --log-level 1
-A INPUT -m limit --limit 10/min -j LOG --log-prefix "Dropped: " 
--log-level 1
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.0.0.0/255.0.0.0 -o eth1 -j ACCEPT
COMMIT

It seems from my performance diagnostics its the logging which is 
causing the system to buckle rather than the packet rate or anything 
like that. Since I first noticed the system being hammered I put the -m 
limit --limit 10/min on the LOG rule but it appears to either not work 
or I have put it in the wrong place. Can anyone give me some advice 
regarding performance and logging.

Regards,

Jimmy
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html




Op dit e-mailbericht is een disclaimer van toepassing, welke te vinden is op http://www.xb.nl/disclaimer.html

Re: iptables performance problems

[G.W. Haywood]

Hi there,

On Wed, 19 Dec 2007, Jimmy Stewpot wrote:

> I am currently using iptables on Linux kernel version 2.6.15 (Ubuntu
> Dapper). I have recently been having problems with my servers load going
> through the roof as remote hosts do nmap scans against the server. My
> current iptables configuration is as follows
> [snip]
> It seems from my performance diagnostics its the logging which is
> causing the system to buckle rather than the packet rate or anything
> like that. Since I first noticed the system being hammered I put the -m
> limit --limit 10/min on the LOG rule but it appears to either not work
> or I have put it in the wrong place. Can anyone give me some advice
> regarding performance and logging.

Most of the time I see no point in logging dropped packets with iptables.

In my systems iptables drops packets as soon as possible.  What little
logging is done is done by p0f, directly to a file.  That process can
be killed at any time, with no adverse effect on system operation.

Syslog-ng feeds data to one of several scripts, which in turn log to a
database, if (and only if) a packet is accepted.  There are different
scripts for mail, http, whatever.  Compared with the other things that
the boxes are doing, the load is negligible.

--

73,
Ged.