¿ù°£ Àα⠰Խù°

°Ô½Ã¹° 111°Ç
   
High Performance Firewall/Nat with iptables
±Û¾´ÀÌ : ÃÖ°í°ü¸®ÀÚ ³¯Â¥ : 2009-11-30 (¿ù) 22:39 Á¶È¸ : 7760
±ÛÁÖ¼Ò :
                             

 
The High Performance
We get to the real important part of this howto.
In our run to get a really big number of hosts running through our machine we miss some things
  1. We forget that is just one NICs to potentially more than 8000 Mac Addresses. The card shared memory is not prepare for this!!!!!
  2. By default iptables is not prepared to make this number of connections simultaneously !!!!!!
So...
To the first issue... I get some error messages in the logs relative to this, I'm really sorry, I lost these logs and don't remember what they said. But the answer is this, increase the threshold memory to the neighbours. Type this and read:
# cat /proc/sys/net/ipv4/neigh/default/gc_thresh1 
128
# cat /proc/sys/net/ipv4/neigh/default/gc_thresh2 
512
# cat /proc/sys/net/ipv4/neigh/default/gc_thresh3 
1024
Next you can put this in the /etc/sysctrl.conf
net.ipv4.neigh.default.gc_thresh1 = 512
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048
and make sysctl -p to increase to the double!!! (no reboot needed) with this I get no errors!!!!!
The next part will need some comprehension about buckets and conntracks and hashsize (the way how iptables manage the nat connections). There is a very good document about this at here. Read it!!!! Some thing are change since IPtables is know as Netfiler.
In resume!!! Put this in your modules section:
MODULES=(8021q 'nf_conntrack hashsize=1048576' nf_conntrack_ftp 
                               ...and other nf_stuff .......)
The last ones is just to avoid some problems that we have with ftp connections (I thing this is not necessary anymore). The 'nf_conntrack hashsize=1048576' increase the numbers of the hashsize (increase the kernel memory designated to NAT connections) (need reboot or reload module :-) see with dmesg | grep conntrack)
And the next is put some similar to the /etc/sysctrl.conf file
...
net.netfilter.nf_conntrack_max = 1048576
...
And do the sysctl -p command
In my case is the same number, that means that I have 1 connection for bucket!!!! I don't need more!!!! by default NetFilter put rate of 1:8. I.E. 8 conections per bucket!! (I think, not remember well)..
In our case we get about 600.000 simultaneous connections in 2 1Giga NICs cards, You can see this with the next command
# cat /proc/sys/net/netfilter/nf_conntrack_count
And put this in a snmpd agent to get and graph it in a MRTG/cacti server ..... uuuuuuu homework
A sample here. (Not actualized, not ever here, but I'll try.)
Finally 

À̸§ Æнº¿öµå
ºñ¹Ð±Û (üũÇÏ¸é ±Û¾´À̸¸ ³»¿ëÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.)
¿ÞÂÊÀÇ ±ÛÀÚ¸¦ ÀÔ·ÂÇϼ¼¿ä.
   

 



 
»çÀÌÆ®¸í : ¸ðÁö¸®³× | ´ëÇ¥ : ÀÌ°æÇö | °³ÀÎÄ¿¹Â´ÏƼ : ·©Å°´åÄÄ ¿î¿µÃ¼Á¦(OS) | °æ±âµµ ¼º³²½Ã ºÐ´ç±¸ | ÀüÀÚ¿ìÆí : mojily°ñ¹ðÀÌchonnom.com Copyright ¨Ï www.chonnom.com www.kyunghyun.net www.mojily.net. All rights reserved.