Re: Help with IPTables

From: Benoit <max.maverick#maverick.eu.org>
Date: Mon, 29 Sep 2008 22:03:48 +0200


Marcus Herou a écrit :
> Thanks! I think that did it. How do you know the actual size of that
> bastard parameter ?

you could ask your kernel:
sysctl net.nf_conntrack_max

(something like 65536)
>
> Just to be clear I have not enabled conntrack explicitly, comes
> enabled with the kernel I guess. Does not iptables need conntrack ?
iptables need conntrack when you use any NEW/RELATED/ESTABLISHED rule or nat table for instance
> Anyway since you are the experts in this backyard what FW do you use
> to protect a LB ?

It depends of your needs, if you can cope with stateless firewalling then iptables will do the job fine
otherwise then .. well a little bit of memory and upgraded nf_conntrack_max and you're done.
>
> Kindly
>
> //Marcus
>
> On Mon, Sep 29, 2008 at 7:43 PM, Patrick Viet <patrick.viet#gmail.com
> <mailto:patrick.viet#gmail.com>> wrote:
>
> deactivate conntrack if you can.
> otherwise,
>
> sysctl -w net.nf_conntrack_max=400000
> should help
>

I think something like 524288 or any power of two is more recommended IIRC

>
> (and add net.nf_conntrack_max=400000 to /etc/sysctl.conf)
>
>
> Patrick
>
Received on 2008/09/29 22:03

This archive was generated by hypermail 2.2.0 : 2008/09/29 22:16 CEST