Fwd: iptables extremely slow
Anthony Liu
anthony@nexus-online.com
Thu, 16 Aug 2001 14:53:48 +0800
On Tue, Aug 14, 2001 at 05:56:22PM +0200, Robert Olsson wrote:
> I'm trying to track down why my iptables-script is slow (takes minutes),
> and found something very interesting.
> Running iptables v1.1.1 on kernel 2.4.2, this is basically what I do,
> without getting into details I assume isn't interesting:
Try to use numerical ip address instead. It is possible to filter
entirely on interface and with no ip address as they are not reliable
anyway (spoofing).
Another thing is I am amazed with people that "need" hundreds of rules
(compounding with non-numerical ip resolve become a total disaster).
Adopt a deny policy, redesign the chains in a clearly defined
data-flow diagram, it will reduce the overhead a lot.
Any open services, forward them to a DMZ.
Hope this helps.