[unisog] IPTables as high banwidth firewall

Orlando Richards orlando.richards at ed.ac.uk
Fri Aug 5 08:25:34 GMT 2005

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Johan van 
> Reijendam
> Sent: 29 July 2005 22:05
> To: unisog at lists.sans.org
> Subject: [unisog] IPTables as high banwidth firewall
> Have any members on this list had any experience using a 
> linux host with 
> iptables as a firewall handling and filtering high volume 
> traffic. I am 
> in particular interested in the possibility of filtering VLAN 
> traffic, 
> traffic shaping and any other features you found helpful or not.

We're using iptables to firewall a gigabit link - running on a Dell
Poweredge server (pci-x, etc). No problems getting up to about 95% of
wirespeed on certain tests. If we add in fully loaded snort and ntop
sensors, the available bandwidth drops to around 65% wirespeed. Clever rule
design helps - the single most useful tweak you can do is to stick your
"ESTABLISHED" rules somewhere near the top of your ruleset. We haven't spent
a great deal of effort on optimistation - mainly because the bandwidth we
got "out of the box" was more than we needed. 

We run four ethernet interfaces off the box (external, internal 1, internal
2, management), a mixture of Broadcom and Intel hardware. Internal 1 and
internal 2 are attached to separate networks.

We did do a lab test of firewalling VLAN traffic, and it worked fine and
dandy - we didn't do any bandwidth testing, etc - it was just a proof of
concept test.

We haven't looked at traffic shaping at all, it's just not been necessary so

The main downside is the level of complexity of the system. Not only do you
have to manage the iptables rule scripts, but also the underlying operating
system, any extras you tag on to it, AND the hardware platform. Furthermore
- you don't have the backing of a single company who have built an appliance
with one task in mind - firewalling at high speeds. Consequently, nobody but
you is responsible for getting the thing working, and ensuring that it's
working to the best of its ability. That also means that it can take a while
to set up initially.

Main positives:
Low cost
High performance 
Uses existing skillbase

Main negatives: 
Potential support issues
Initial setup.

Hope that helps!

Dr. Orlando Richards, GCFW
     Computing Officer
     School of Physics
   University of Edinburgh

More information about the unisog mailing list