How much impact will the rules have on speed, if we are using match to queue the packets.

4

1 Answer

Depends on how they are written. Yes, 2400 rules can cripple your system if improperly implemented. Traffic rules should be written based on typical bandwidth usage.

For example: accept established related should be almost #1 Using ipset in combination with iptables can also boost performance when you need to block a large number of evil doers. iptables blacklist via ipset should be rule #2. The next group of rules needs to add to the ipset block list depending on your environment.

Calculate the bandwidth usage of each type of packet and order the rules from highest to lowest bandwidth

When more traffic hits more rules it slows down considerably. 2000 rules times 50,000 packets per second will cripple a lot of computers.

 2,000*50,000pps= 100,000,000 compares per second is very hard on the cpu. 2,000*1pps = 2,000 compares per second is easy.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy