iptables slowdown

[Raj]

Hi!
I could not comprehend much about your pb from your mail, however I feel
the FW box may be reaching the ip_conntrack_max value...the maximum
allowed number of estb. connections thru the FW.

Verify the following when the pb occurs:
#cat /proc/sys/net/ipv4/ip_conntrack_max
#grep conn /proc/slabinfo     (note the 1st value against the max value)

Once it reached the max value FW starts dropping newer packets.
If so, you may need to increase the value or decrease the expire duration
at compile time.

Please refer to:

http://netfilter.samba.org/netfilter-faq-3.html#ss3.6
http://www.linuxguruz.org/iptables/
http://www.knowplace.org/netfilter/index.html
http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html

Hope this helps,

Cheers,
Raj

On Fri, 28 Dec 2001 craig.howard@shadnet.shad.ca wrote:

> I'm running iptables on a 2.4.16 486 with 8MB of RAM as a gateway for four machines connected to an ADSL line.  When I first set this up I was getting around 100k/s downloads.  Recently, data transfer has become _very_ unreliable.  Speeds are much lower and I get lots of halts when viewing webpages.  This happens on all computers on the internal network.  However, connection speed from the firewall itself is still high.
>
> I'm not running any exotic rules; a few portforwards which make no difference to the performance (I've commented them out and not seen an improvement), and MASQ on the four computers behind the gateway.  I've tried playing with the mtu, the rwin and I've even swapped network cards.  I'm running rp-pppoe and I've tried both kernel mode and user mode pppoe.
>
> Have I made a stupid mistake?  I don't remember changing anything important.
>
> I can provide more details if necessary.  Thanks in advance for the help.
>