[nzlug] iptables problems... and ssh/tcp kernel tuning

Steve Holdoway steve at greengecko.co.nz
Wed Feb 20 20:56:07 NZDT 2008 

On Wed, 20 Feb 2008 19:01:22 +1300
Cliff Pratt <enkidu at cliffp.com> wrote:

> 
> Shorewall is not hardware and I'd vote for it having used it for a 
> couple of years a while back.
> 
> If you build your own firewall you stand the risk of making a mistake 
> and completely nullifying your firewall.
> 
> Cheers,
> 
> Cliff
Well, I'd say that there's something to be said about doing things the hard way until you fully understand what you're doing, then use tools to make your life easier, but not when the system console's out of reach!

I'm having a bit of a problem with this machine. I think the root cause of the problem is this line off netstat -s:

'173604 packets collapsed in receive queue due to low socket buffer' which becomes
'185367 packets collapsed in receive queue due to low socket buffer' a couple of hours later.

I've tuned tcp ( debian stable ) as follows:

net.ipv4.tcp_window_scaling = 1
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 8192 873800 16777216
net.ipv4.tcp_wmem = 4096 655360 16777216

net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1

net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.ip_default_ttl = 71

and it seems to be a bit better than before. The system just gets really laggy ( ping > 1 second instead of 170ms ), and throughput drops. Load level is about 0.1 and there's plenty of spare memory.

It's acting as a ssh tunnel, with about 50 users using it. Are there any other kernel parameters that may be worth trying? It's a single core box, so I don't think that trying out this mutlithreaded version of ssh that's been in the press lately will be of much use.

The other worry is the interrupt rate on the network card ( an Intel Pro/100 running into a 10mbit switch port ), which is at about 2000/sec - although preformance is currently fine.

Any suggestions on what to try would be gratefully received.

Cheers,


Steve.






-- 
Steve Holdoway <steve at greengecko.co.nz>

More information about the NZLUG mailing list