Answer the question
In order to leave comments, you need to log in
A
A
Anton B2016-02-03 09:57:53
Anton B, 2016-02-03 09:57:53
What is the best way to configure iptables in terms of performance?
Hello!
MySQL and Redis are running on a dedicated server, you need to allow access to them from trusted IPs.
My rules:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
iptables -A INPUT -s x.x.x.x -p tcp -m state --state NEW --dport 3306 -j ACCEPT
iptables -A INPUT -s x.x.x.x -p tcp -m state --state NEW --dport 6379 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROPDuring rush hour, a large number of errors of the form fall into the syslog:
Feb 2 22:03:04 cache kernel: [595850.616259] nf_conntrack: table full, dropping packet
Feb 2 22:03:09 cache kernel: [595855.555346] net_ratelimit: 806 callbacks suppressedThis kind of error is recommended to be treated as follows:
echo "net.netfilter.nf_conntrack_max=1048576" >> /etc/sysctl.conf
sysctl -pQuestions:
1. If trusted IPs are allowed access to all ports and the --state ESTABLISHED,RELATED rule is removed, then nf_conntrack will not be used and there will be no table overflow errors?
2. Despite setting net.netfilter.nf_conntrack_max=1048576, after rebooting the server, the parameter takes the initial value of 65536, how to avoid this?
3. What additions to my iptables rules should I make?
Thanks for answers!
3 answer(s)
@bigton
In /etc/rc.local before exit 0 add the lines
Thus, we increase the maximum number of monitored connections to 1048576, ask you not to track connections for which there were no packets for an hour (3600), increase the size of the hash table according to the principle 1048576 / 4 = 262144, and make it all work after the server is rebooted.
arheops suggested disabling connection control altogether, this would increase performance, but on the current load I don't need it yet. But there is such a possibility.
@chupasaurus
3. Reduce connection timeouts (list
@archeops
A
Anton B, 2016-02-03 @bigton
Thanks for the help chupasaurus and arheops .
To avoid errors, you need to add the lines to /etc/sysctl.conf
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 3600In /etc/rc.local before exit 0 add the lines
echo 262144 > /sys/module/nf_conntrack/parameters/hashsize
sysctl -pThus, we increase the maximum number of monitored connections to 1048576, ask you not to track connections for which there were no packets for an hour (3600), increase the size of the hash table according to the principle 1048576 / 4 = 262144, and make it all work after the server is rebooted.
arheops suggested disabling connection control altogether, this would increase performance, but on the current load I don't need it yet. But there is such a possibility.
C
chupasaurus, 2016-02-03 @chupasaurus
1. No, netfilter is used by iptables anyway.
2. Add
echo 262144 > /sys/module/nf_conntrack/parameters/hashsize3. Reduce connection timeouts (list
# sysctl -a | grep conntrack | grep timeout), but you need to look at what netfilter clogs with.
A
archeops, 2016-02-03 @archeops
you have this error occurs on the second rule. accordingly, if you have only mysql and redis on this server, then to speed up you just need to enable them BEFORE this rule like this.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s xxxx -m tcp -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s xxxx -m tcp -p tcp --dport 6379 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Similar questions
N
E
E
G
R
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question