iptables + ip_conntrack (required?) - Networking

This is a discussion on iptables + ip_conntrack (required?) - Networking ; I have been lurking on this group now for a while, and there does seem to sound advice floating around. So with that, I tread into your waters and ask for your assitance. The setup is simple. nginx sitting on ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: iptables + ip_conntrack (required?)

  1. iptables + ip_conntrack (required?)

    I have been lurking on this group now for a while, and there does seem
    to sound advice floating around. So with that, I tread into your waters
    and ask for your assitance.

    The setup is simple. nginx sitting on a Linux CentOS (2.6 kernel)
    acting as a load balancer for a set of backend machines.

    The machine is under quite a lot of network stress in terms of sockets
    being setup and teared down again. We have iptables running to stop all
    the nasty people in the world!

    However, views seem to be divided on the ip_conntrack issue.

    Some say to just increase the value if you are running out of handles.

    echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max

    Some say to tune the values below their defaults so sockets get cleared
    out quicker:

    ip_conntrack_tcp_timeout_time_wait
    ip_conntrack_tcp_timeout_fin_wait

    Now some people say to remove ip_conntrack completely, its not required
    for web traffic, especially for web balancers as you need double the
    amount of sockets (one for the incoming and another for the backend).

    iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK


    So my questions are:

    1. Anyone have any experience with this world?
    2. What is ip_conntrack really buying me for web traffic?
    3. Is the NOTRACK the only way to turn off ip_conntrack?


    All advice gratefully received and digested!

    thanks

    --
    Alan Williamson
    Registrationless email/sms reminders: http://yourli.st/
    blog: http://alan.blog-city.com/

  2. Re: iptables + ip_conntrack (required?)

    Hello,

    Alan Williamson a écrit :
    >
    > Some say to just increase the value if you are running out of handles.
    >
    > echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
    >
    > Some say to tune the values below their defaults so sockets get cleared
    > out quicker:
    >
    > ip_conntrack_tcp_timeout_time_wait
    > ip_conntrack_tcp_timeout_fin_wait
    >
    > Now some people say to remove ip_conntrack completely, its not required
    > for web traffic, especially for web balancers as you need double the
    > amount of sockets (one for the incoming and another for the backend).
    >
    > iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK


    They're all wrong. Conntrack has nothing to do with sockets. If your box
    runs out of sockets, you're looking into the wrong direction.

    > 2. What is ip_conntrack really buying me for web traffic?


    Conntrack tracks "connections" based on the packet flows it sees. It is
    necessary for address/port translation (-j DNAT, SNAT, MASQUERADE,
    REDIRECT...) and stateful filtering (-m state, conntrack). If you use
    neither of these, you probably don't need conntrack.

    > 3. Is the NOTRACK the only way to turn off ip_conntrack?


    If ip_conntrack (or nf_conntrack in "recent" kernels) is built as a
    module, you can just not load it. NOTRACK is just more selective in
    allowing not to track some flows.

+ Reply to Thread