[unisog] IPTables as high banwidth firewall

Lloyd B. Park lpark at kent.edu
Wed Aug 3 20:08:28 GMT 2005

There are two issues we ran into with iptables.
1.  Connection tracking in IPtables can kill your performance if you are
     in the middle of a worm break out.  P2P software can also trigger
     the problem.  All the scanning going on creates many connections.
     Each connection needs a hash table entry and creating them and
     destroying them takes time.  If your rule set is small, the solution
     may be to turn off connection tracking.
2.  IPtables rule traversal runs in kernel space and is not correctly
     accounted for in your load averages.  So you can be maxing out your
     system and have a load average of 0.01.  I know someone who had the
     same problem with one of the flavors of BSD.

Johan van Reijendam wrote:
> Have any members on this list had any experience using a linux host with 
> iptables as a firewall handling and filtering high volume traffic. I am 
> in particular interested in the possibility of filtering VLAN traffic, 
> traffic shaping and any other features you found helpful or not.
> Johan
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

Lloyd B. Park         (330) 672-0384
Administrative Services Building
Kent State University
Kent, OH 44242

More information about the unisog mailing list