iptables + ip_conntrack (required?)
I have been lurking on this group now for a while, and there does seem
to sound advice floating around. So with that, I tread into your waters
and ask for your assitance.
The setup is simple. nginx sitting on a Linux CentOS (2.6 kernel)
acting as a load balancer for a set of backend machines.
The machine is under quite a lot of network stress in terms of sockets
being setup and teared down again. We have iptables running to stop all
the nasty people in the world! :)
However, views seem to be divided on the ip_conntrack issue.
Some say to just increase the value if you are running out of handles.
echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
Some say to tune the values below their defaults so sockets get cleared
out quicker:
ip_conntrack_tcp_timeout_time_wait
ip_conntrack_tcp_timeout_fin_wait
Now some people say to remove ip_conntrack completely, its not required
for web traffic, especially for web balancers as you need double the
amount of sockets (one for the incoming and another for the backend).
iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
So my questions are:
1. Anyone have any experience with this world?
2. What is ip_conntrack really buying me for web traffic?
3. Is the NOTRACK the only way to turn off ip_conntrack?
All advice gratefully received and digested! :)
thanks
--
Alan Williamson
Registrationless email/sms reminders: [url]http://yourli.st/[/url]
blog: [url]http://alan.blog-city.com/[/url]
Re: iptables + ip_conntrack (required?)
Hello,
Alan Williamson a écrit :[color=blue]
>
> Some say to just increase the value if you are running out of handles.
>
> echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
>
> Some say to tune the values below their defaults so sockets get cleared
> out quicker:
>
> ip_conntrack_tcp_timeout_time_wait
> ip_conntrack_tcp_timeout_fin_wait
>
> Now some people say to remove ip_conntrack completely, its not required
> for web traffic, especially for web balancers as you need double the
> amount of sockets (one for the incoming and another for the backend).
>
> iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK[/color]
They're all wrong. Conntrack has nothing to do with sockets. If your box
runs out of sockets, you're looking into the wrong direction.
[color=blue]
> 2. What is ip_conntrack really buying me for web traffic?[/color]
Conntrack tracks "connections" based on the packet flows it sees. It is
necessary for address/port translation (-j DNAT, SNAT, MASQUERADE,
REDIRECT...) and stateful filtering (-m state, conntrack). If you use
neither of these, you probably don't need conntrack.
[color=blue]
> 3. Is the NOTRACK the only way to turn off ip_conntrack?[/color]
If ip_conntrack (or nf_conntrack in "recent" kernels) is built as a
module, you can just not load it. NOTRACK is just more selective in
allowing not to track some flows.
