8

How much impact will the rules have on speed, if we are using match to queue the packets.

adnan kamili
  • 461
  • 1
  • 6
  • 18
  • 1
    Have you tried configuring your iptables with all the rules and then running a speed test? Either speedtest.net, or a local network testing utility if you're concerned about more than just the connection to the internet. – Darth Android Oct 02 '12 at 16:48
  • 1
    Actually it affected my download speed considerably – adnan kamili Oct 02 '12 at 17:58
  • 1
    It might be useful then to include what exactly you're trying to do and how you're currently going about doing it so that others can suggest improvements. – Darth Android Oct 02 '12 at 18:22
  • 1
    searching for 'iptables performance' turns up a lot of discussions on this. – uSlackr Oct 02 '12 at 19:45

1 Answers1

7

Depends on how they are written. Yes, 2400 rules can cripple your system if improperly implemented. Traffic rules should be written based on typical bandwidth usage.

For example: accept established related should be almost #1 Using ipset in combination with iptables can also boost performance when you need to block a large number of evil doers. iptables blacklist via ipset should be rule #2. The next group of rules needs to add to the ipset block list depending on your environment.

Calculate the bandwidth usage of each type of packet and order the rules from highest to lowest bandwidth

When more traffic hits more rules it slows down considerably. 2000 rules times 50,000 packets per second will cripple a lot of computers.

 2,000*50,000pps= 100,000,000 compares per second is very hard on the cpu.
  2,000*1pps     =       2,000 compares per second is easy.
cybernard
  • 86
  • 1