iptables performance impact

From: Angelo Höngens <A.Hongens#netmatch.nl>
Date: Tue, 13 Jul 2010 12:56:21 +0000

Hey, does anyone have an idea how iptables impacts network performance? (on CentOS 5.5 x64 for example).

I've got haproxy running on quite some FreeBSD machines for quite a while now, and I'm very happy with it. We have quite some different setups (directly on the net, behind cisco firewall in dmz, with host firewall, without, etc). Now we're slowly moving from FreeBSD to CentOS, and by default iptables is enabled.

On our FreeBSD machines that are directly connected to the net, we have a public interface with services only listening on port 80, and an internal interface for stats access, ssh and snmp. But we have some new machines on which we only want to use a single public interface. We'd use iptables to allow only trusted ip's to connect to management services.

What are your real-life experiences? Do you have iptables enabled on your balancers? Normally I would do stresstests, but somehow my stresstests never simulate real-world behavior with a mix of tens of thousands of slow and fast clients, etc.

By the way, some of our balancers do > 100 Mbit and > 2000 req/s by the way.

If anyone has any best practices concerning this subject, I'd be glad to hear it as well.


With kind regards,
Angelo Höngens
Systems Administrator

NetMatch tourism internet software solutions Ringbaan Oost 2b 5013 CA Tilburg T: +31 (0)13 5811088 F: +31 (0)13 5821239 mailto:A.Hongens#netmatch.nl http://www.netmatch.nl
Received on 2010/07/13 14:56

This archive was generated by hypermail 2.2.0 : 2010/07/13 15:00 CEST