Re: Help with IPTables

From: Marcus Herou <>
Date: Tue, 30 Sep 2008 07:05:12 +0200


Increased the buckets to 250 000 and conntrack_max to 1000 0000.

About the time_wait do you mean setting the net.ipv4.tcp_fin_timeout value ? I have it set to 30 sec.
The established timeout is that this one net.netfilter.nf_conntrack_tcp_timeout_established ? I will set it to 43200 (half a day).

Yes I have a few very simple rules in iptables, basically the only reason for iptables is to block all ports (except 80) from the internet and just allow ssh from the NAT:ed lan.

These are my rules, few and simple.

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables
denied: " --log-level 7
iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -j DROP -i eth1

Perhaps I should drop the second rule about ESTABLISHED since I never login from the internet ? Let's say I do that, how do I then disable conntrack ?




On Tue, Sep 30, 2008 at 6:39 AM, Willy Tarreau <> wrote:

> On Mon, Sep 29, 2008 at 08:26:53PM +0200, Marcus Herou wrote:
> > Thanks! I think that did it. How do you know the actual size of that
> bastard
> > parameter ?
> Patrick just increased your actual value a lot :-)
> Consider that one entry consumes about 300 bytes of memory. If your system
> has at least 1 GB of RAM, you can safely go up to 1 million entries.
> Don't forget to increase the hashsize (nf_conntrack_buckets). My
> observations
> indicate that it should be about 1/4 of the conntrack_max value for good
> performance.
> > Just to be clear I have not enabled conntrack explicitly, comes enabled
> with
> > the kernel I guess. Does not iptables need conntrack ?
> No, iptables only needs conntrack if some of your rules rely on the session
> state (eg: -m state --state ESTABLISHED), or if you are using NAT.
> You should also reduce your timeouts, they are too large. The time_wait
> timeout
> should be far below (around 30 seconds). It will save you a lot of entries.
> The
> established timeout is set to 5 days, you should lower it, otherwise
> clients
> who suddenly disconnect keep their connection in the firewall for 5 days !
> > Anyway since you are the experts in this backyard what FW do you use to
> > protect a LB ?
> If you have no other service on you LB, you don't need any firewall in
> front
> of it, since the single purpose of the firewall will be to limit the
> exposed
> services on your LB. And if you still need to filter a little bit (eg:
> source
> addresses), you can write stateless iptables rules.
> In fact, many people put the LB before the firewalls to protect the
> firewalls,
> because the Linux TCP stack on a proxy is often more robust than that of a
> firewall ;-)
> Regards,
> Willy

Marcus Herou CTO and co-founder Tailsweep AB
Received on 2008/09/30 07:05

This archive was generated by hypermail 2.2.0 : 2008/09/30 07:18 CEST