#StackBounty: #kernel #iptables #performance #ps #htop performance monitoring of "iptables" kernel module

Bounty: 100

I would like to know how much CPU / memory my current iptables rules consume.

I have tried looking in ps and htop, but even with kernel threads displayed and did not see anything related to iptables.

I am using the conntrack module with these module-specific settings: xt_recent.ip_pkt_list_tot=1 xt_recent.ip_list_tot=4096. I think 4096 is quite high. And then, in my iptables configuration, I am using two kinds of block lists: BLACKLIST and PORTSCAN.

-A INPUT  -i eth0 -p icmp             -j ACCEPT
-A INPUT  -i eth0 -s  1.2.3.4/32      -j ACCEPT
-A INPUT  -i eth0 -m  recent --rsource --name BLACKLIST --seconds 14400 --update -j DROP
-A INPUT  -i eth0 -p  tcp  -m tcp --dport 25 -j ACCEPT

-A INPUT  -i eth0 -m  recent   --rsource --name PORTSCAN --seconds 3600 --update -j DROP
-A INPUT -i eth0  -p  udp  -m udp --dport 5060 -j ACCEPT
-A INPUT -i eth0  -p  tcp  -m tcp --dport 5061 -j ACCEPT
-A INPUT -i eth0  -p  udp  -m udp --dport 5062:5100 -j ACCEPT

-A INPUT  -i eth0 -m  conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT  -i eth0 -m  recent  --rsource --name PORTSCAN --set -j DROP

-A INPUT  -i eth0 -j DROP
-A INPUT  -j DROP

I am experiencing network problems on the server, where I suspect my iptables rules could play a role. For instance:

  • My ssh sessions are being dropped quite often.
  • Ping reports 0.2% packet loss
  • when I am connecting on allowed ports, ie 5060 it takes noticeably longer when PORTSCAN has many items, as compared when it is empty

  • What would be the best way to troubleshoot this issue?

  • is there some optimization I could do to my iptables rules?
  • How can I see how much of my CPU is being consumed by iptables ?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.