Results 1 to 3 of 3
  1. #1

    IPTables - Rule Limit / Max Out Limit


    As you can see from the title, I am at a dilemma. This might be a bit of a read, but any help would be greatly appreciated.

    First off, this is all done on one of our Linux CentOS servers. Basically, after the incoming bandwidth to the server exceeds a certain amount (in packets per second), iptables will slowly give up and then render the server completely useless.

    Now, you are probably thinking, ok, well simple, this is because you have too many iptable rules .. that is not correct. At around 200 - 300 iptable rules, and around 200 000 - 300 000 incoming packets per second (udp), iptable's starts giving up! Maybe its not iptables, but everything starts lagging (like ssh), and sooner or later, the server is unaccessible and barely pingable (~50% success rate).

    The other reason could be logging, and I'm sure you probably thought about that too. Not correct, I made sure there are NO logging iptable rules. Makes sence though, if it was trying to log some of these packets, the server would just crash due to all the HDD work (due to the mass amount of packets).

    Just also to add in, it is NOT anything to do with the router or network wise. The connection is over 1000Mbit, and is fully dedicated. I made sure of this.

    So really, I am asking a variety of things.

    1. What causes the lag? Is it the HDD being overused? Somehow..?
    2. Is there a way to avoid this?

    Any ideas or suggestions would be greatly appreciated. I am sure other people suffered this issue with the common DDoS attacks, where the issue is not due to bandwidth itself, but packets per second.


  2. #2
    Join Date
    Mar 2009
    There are many ways to improve iptables but keep it mind it is a software and uses a (slow) linear algorithm. The main limit is your CPU : there will be huge differences if it's running on a 1.5Ghz DualCore or a i7-975.

    - ipset ( quite interesting for those who, like you, have a lot of rules. Whether you have 200 or 2,000+ rules it can give some impressive results. However, it depends on what kind of rules you are using and of course, you will have to patch and compile.
    - conntrack : if you don't use, disable it because it eats up a lot of resources.

    But it could also be the right time for you to switch to a hardware firewall.
    However, even before patching/disabling anything, the very first thing I would do is simply to ask the kernel what is going on :

    # dmesg | tail -n 30

    It should probably answer most of your questions

  3. #3

    Thankyou for that. I have been looking deeply into ip_conntrack and have come to the configuration file;


    I have been modifying settings in there, increasing such settings as;


    But, after applying this setting, and trying it out, the issue still occurs.

    The CPU is as follows;

    model name : Intel(R) Xeon(R) CPU E5430 @ 2.66GHz

    And server has plenty of memory. While checking logs during the attack, CPU / IO / Memory does NOT overload. This is what confuses myself the most.

    Maybe I am missing something in the /etc/sysctl.conf, or there is another setting I have to try. Any ideas?


Similar Threads

  1. IPTables Rule Using Modules Limit & Length Simoultaneously
    By Simmot in forum Hosting Security and Technology
    Replies: 1
    Last Post: 04-05-2009, 11:00 AM
  2. The VPS iptables rule limit
    By persianwhois in forum Hosting Security and Technology
    Replies: 3
    Last Post: 08-07-2008, 10:59 AM
  3. Iptables rule limit (numiptent)
    By persianwhois in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-02-2008, 03:47 AM
  4. proper usage of 'limit' in iptables
    By albano in forum Hosting Security and Technology
    Replies: 1
    Last Post: 08-01-2006, 11:43 AM
  5. iptables questions regarding limit setting
    By brian73 in forum Hosting Security and Technology
    Replies: 1
    Last Post: 04-18-2006, 12:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts