Hi.
Increased the buckets to 250 000 and conntrack_max to 1000 0000.
About the time_wait do you mean setting the net.ipv4.tcp_fin_timeout value ?
I have it set to 30 sec.
The established timeout is that this one
net.netfilter.nf_conntrack_tcp_timeout_established ? I will set it to 43200
(half a day).
Yes I have a few very simple rules in iptables, basically the only reason for iptables is to block all ports (except 80) from the internet and just allow ssh from the NAT:ed lan.
These are my rules, few and simple.
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s 192.168.10.0/24 -j ACCEPT iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptablesdenied: " --log-level 7
Perhaps I should drop the second rule about ESTABLISHED since I never login from the internet ? Let's say I do that, how do I then disable conntrack ?
Kindly
//Marcus
Kindly
On Tue, Sep 30, 2008 at 6:39 AM, Willy Tarreau <w#1wt.eu> wrote:
> On Mon, Sep 29, 2008 at 08:26:53PM +0200, Marcus Herou wrote:
> > Thanks! I think that did it. How do you know the actual size of that
> bastard
> > parameter ?
>
> Patrick just increased your actual value a lot :-)
> Consider that one entry consumes about 300 bytes of memory. If your system
> has at least 1 GB of RAM, you can safely go up to 1 million entries.
>
> Don't forget to increase the hashsize (nf_conntrack_buckets). My
> observations
> indicate that it should be about 1/4 of the conntrack_max value for good
> performance.
>
> > Just to be clear I have not enabled conntrack explicitly, comes enabled
> with
> > the kernel I guess. Does not iptables need conntrack ?
>
> No, iptables only needs conntrack if some of your rules rely on the session
> state (eg: -m state --state ESTABLISHED), or if you are using NAT.
>
> You should also reduce your timeouts, they are too large. The time_wait
> timeout
> should be far below (around 30 seconds). It will save you a lot of entries.
> The
> established timeout is set to 5 days, you should lower it, otherwise
> clients
> who suddenly disconnect keep their connection in the firewall for 5 days !
>
> > Anyway since you are the experts in this backyard what FW do you use to
> > protect a LB ?
>
> If you have no other service on you LB, you don't need any firewall in
> front
> of it, since the single purpose of the firewall will be to limit the
> exposed
> services on your LB. And if you still need to filter a little bit (eg:
> source
> addresses), you can write stateless iptables rules.
>
> In fact, many people put the LB before the firewalls to protect the
> firewalls,
> because the Linux TCP stack on a proxy is often more robust than that of a
> firewall ;-)
>
> Regards,
> Willy
>
>
-- Marcus Herou CTO and co-founder Tailsweep AB +46702561312 marcus.herou#tailsweep.com http://www.tailsweep.com/ http://blogg.tailsweep.com/Received on 2008/09/30 07:05
This archive was generated by hypermail 2.2.0 : 2008/09/30 07:18 CEST