how can I improve the throughput of linux firewall that use the netfilter + iptable

how can I improve the throughput of linux firewall that use the netfilter + iptable

[zhaohui_scu]

I want to use the netfilter+iptables for my company's local_net.

but I have read the following words on some webpage
"we use linux as our router. i just tested the performance of the router with smartbits, and i found that the throughput of 64byte .and the result is not good"

we have not the smartbits

but we want to use "iptables + netfilter + a normal pc with two eth " for our company
there are about 1,000 PCs in the local_net

what can I do to improve it

Re: how can I improve the throughput of linux firewall that use the netfilter + iptable

[Leonardo Rodrigues Magalh?es]

    Number os PCs is not the most important information. We need you to give
us some more data about the firewall you're pretending to build, like:

1) internet connection speed (256k DSL, 1.5 T1, more?? )
2) complexity of your rules (simple rules, very complex rules)
3) any other information you can share with us .....


    But I can guarantee you that netfilter can get you VERY good throughput
**IF** you think before making the rules. We've seen lots of people
complaining about bad throughputs but almost all the times the problem is
related to their rules, build in a not-smart way, and not related to
iptables/netfilter itself.

    Question: what's smartbits ????? I've never heard about it .....


    Sincerily,
    Leonardo Rodrigues

----- Original Message ----- 
From: <zhaohui_scu@sohu.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, October 24, 2003 10:22 AM
Subject: how can I improve the throughput of linux firewall that use the
netfilter + iptable


>
> I want to use the netfilter+iptables for my company's local_net.
>
> but I have read the following words on some webpage
> "we use linux as our router. i just tested the performance of the router
with smartbits, and i found that the throughput of 64byte .and the result is
not good"
>
> we have not the smartbits
>
> but we want to use "iptables + netfilter + a normal pc with two eth " for
our company
> there are about 1,000 PCs in the local_net
>
> what can I do to improve it

Re: how can I improve the throughput of linux firewall that use the netfilter + iptable

[SBlaze]

--- Leonardo Rodrigues Magalh?es <leolistas@solutti.com.br> wrote:
> 
>     Number os PCs is not the most important information. We need you to give
> us some more data about the firewall you're pretending to build, like:
> 
> 1) internet connection speed (256k DSL, 1.5 T1, more?? )
> 2) complexity of your rules (simple rules, very complex rules)
> 3) any other information you can share with us .....
> 
> 
>     But I can guarantee you that netfilter can get you VERY good throughput
> **IF** you think before making the rules. We've seen lots of people
> complaining about bad throughputs but almost all the times the problem is
> related to their rules, build in a not-smart way, and not related to
> iptables/netfilter itself.
> 
>     Question: what's smartbits ????? I've never heard about it .....
> 
> 
>     Sincerily,
>     Leonardo Rodrigues
> 
Just a note here first. I have heard unsubstantiated rummors of people using a
1500+ net on a 486 using iptables. I can no more prove that as you can about
what you read.  There are several performance tweaks we can give you
here...provided we could look and see the ruleset(mask your ips though we won't
need really to see those). As Leonardo said alot can be done with a good
ruleset.

Another thing you might want to look at is the lartc(Linux Advanced Routing and
Traffic Control HOWTO). Also of interest is the ipsysctl and iptables tutorials
of Oskar Andreasson. These are INVALUABLE!!!! They are found here...

http://iptables-tutorial.frozentux.net/ and
http://ipsysctl-tutorial.frozentux.net/ here.

Also you might want to do some performance testing on your line so that if you
do make changes you can verfiy they are for the better. I reccomend here...

http://miranda.ctd.anl.gov:7123/ and http://www.dslreports.com/tweaks

Good Luck
SBlaze


=====
In the absence of order there will be chaos.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Re: how can I improve the throughput of linux firewall that use the netfilter + iptable

[Ted Kaczmarek]

[-- Attachment #1: Type: text/plain, Size: 907 bytes --]

With any newer box and good nic cards the performance should not be an
issue. Even adding QOS with the htb qdisc should be no problem for 1000
simultaneous streams if you set it up right on say a p3 1 gig.

You may want to throw a squid box into your mix if your router/firewall
is say a 486, and don't use a 486 for that :-)

Ted 

On Fri, 2003-10-24 at 09:22, zhaohui_scu@sohu.com wrote:
> I want to use the netfilter+iptables for my company's local_net.
> 
> but I have read the following words on some webpage
> "we use linux as our router. i just tested the performance of the router with smartbits, and i found that the throughput of 64byte .and the result is not good"
> 
> we have not the smartbits
> 
> but we want to use "iptables + netfilter + a normal pc with two eth " for our company
> there are about 1,000 PCs in the local_net
> 
> what can I do to improve it
> 
> 


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]