From: "Pete Davis" <peted@springisd.org>
To: , netfilter@lists.netfilter.org, ,
Subject: Comments and questions about tuning IPTables for high volume
Date: Wed, 17 Dec 2003 08:58:02 -0600 [thread overview]
Message-ID: <sfe01aa8.008@gwadmin.springisd.org> (raw)
I have tuned my IPTables box running Redhat 9 on a dual 1ghz box with
1GB and raid1 scsi160 (2x36gb). It is acting as a temporary replacement
(to test throughput/prove the proxy is a bottleneck) for our proxy but
it is NOT doing anything other than routing with a few firewall rules to
block ICMPs and UDP Microsoft ports (lingering Nachi infections). Here
are the parameters I have tuned and other pertinent settings:
ulimit -n 8192
/proc/sys/fs/file-max 104851
/proc/sys/net/ipv4/ip_conntrack_max 65528
sysctl ((Not sure exactly what they mean but these were the defaults...
Anyone have explanations for them??):
net.ipv4.tcp_wmem 4096 16384 131072
net.core.wmem_default = 65535
net.core.wmem_max = 131071
(the rmem settings are the same)
I have seen up to 9700 connections in ip_conntrack with 95%+ being HTTP
connections. The CPU never goes about 5%. It has 800mb+ free.
Questions:
1) Any suggestions on other tuning? It is just a packet processor
(router) with a few rules... less than 20 total. It is protected by a
firewall so I don't need rule tuning/suggestions just throughput
suggestions. It is servicing 6000+ desktops on an uncapped ds3
(normally capped at 15mb/s but uncapped for testing by the ISP).
2) I tuned sysctl for things like source routing, ICMP echo broadcast,
'martians, etc. I turned on syncookies also. Any sysctl things I may
have missed for an IPTables firewall?
3) I have tuned the max number of open files and file descriptors but a
cat /proc/sys/fs/file-nr says "240 67 104851", or close to it (not much
being used). When I do a "lsof | wc -l", I get a number between 300 and
390. Question: I thought that each connection took one or more file
descriptors? (I might be confusing it with FreeBSD, which I also use).
I thought the max number of open files was necessary for an IPTables
firewall/'router' also, correct??
4) When I do a 'vmstat', I see the number of interrupts steadily
climbing up (under 'system' the column labeled 'in'). Once it gets near
300-350, it goes back to zero. It doesn't seem to be tied to the number
of connections or any other statistic I can find. I suspect the
interrupts are related to the NIC. Any ideas what might be going on?
Is this even a concern based on the purpose/performance of the box (It
has gotten up to 21mb/s to the internet).
BTW, thanks to all for the help on the syslogd problem. It was set up
correctly and 'started' working some time between Thursday night and
Monday morning... I have no idea why it took a few hours to kick it but
thanks to all anyway.
Pete
next reply other threads:[~2003-12-17 14:58 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-17 14:58 Pete Davis [this message]
2003-12-17 15:06 ` Comments and questions about tuning IPTables for high volume Chris Brenton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=sfe01aa8.008@gwadmin.springisd.org \
--to=peted@springisd.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.