* Comments and questions about tuning IPTables for high volume
@ 2003-12-17 14:58 Pete Davis
2003-12-17 15:06 ` Chris Brenton
0 siblings, 1 reply; 2+ messages in thread
From: Pete Davis @ 2003-12-17 14:58 UTC (permalink / raw)
To: netfilter
I have tuned my IPTables box running Redhat 9 on a dual 1ghz box with
1GB and raid1 scsi160 (2x36gb). It is acting as a temporary replacement
(to test throughput/prove the proxy is a bottleneck) for our proxy but
it is NOT doing anything other than routing with a few firewall rules to
block ICMPs and UDP Microsoft ports (lingering Nachi infections). Here
are the parameters I have tuned and other pertinent settings:
ulimit -n 8192
/proc/sys/fs/file-max 104851
/proc/sys/net/ipv4/ip_conntrack_max 65528
sysctl ((Not sure exactly what they mean but these were the defaults...
Anyone have explanations for them??):
net.ipv4.tcp_wmem 4096 16384 131072
net.core.wmem_default = 65535
net.core.wmem_max = 131071
(the rmem settings are the same)
I have seen up to 9700 connections in ip_conntrack with 95%+ being HTTP
connections. The CPU never goes about 5%. It has 800mb+ free.
Questions:
1) Any suggestions on other tuning? It is just a packet processor
(router) with a few rules... less than 20 total. It is protected by a
firewall so I don't need rule tuning/suggestions just throughput
suggestions. It is servicing 6000+ desktops on an uncapped ds3
(normally capped at 15mb/s but uncapped for testing by the ISP).
2) I tuned sysctl for things like source routing, ICMP echo broadcast,
'martians, etc. I turned on syncookies also. Any sysctl things I may
have missed for an IPTables firewall?
3) I have tuned the max number of open files and file descriptors but a
cat /proc/sys/fs/file-nr says "240 67 104851", or close to it (not much
being used). When I do a "lsof | wc -l", I get a number between 300 and
390. Question: I thought that each connection took one or more file
descriptors? (I might be confusing it with FreeBSD, which I also use).
I thought the max number of open files was necessary for an IPTables
firewall/'router' also, correct??
4) When I do a 'vmstat', I see the number of interrupts steadily
climbing up (under 'system' the column labeled 'in'). Once it gets near
300-350, it goes back to zero. It doesn't seem to be tied to the number
of connections or any other statistic I can find. I suspect the
interrupts are related to the NIC. Any ideas what might be going on?
Is this even a concern based on the purpose/performance of the box (It
has gotten up to 21mb/s to the internet).
BTW, thanks to all for the help on the syslogd problem. It was set up
correctly and 'started' working some time between Thursday night and
Monday morning... I have no idea why it took a few hours to kick it but
thanks to all anyway.
Pete
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-12-17 15:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-12-17 14:58 Comments and questions about tuning IPTables for high volume Pete Davis
2003-12-17 15:06 ` Chris Brenton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox