|
Derek Glidden wrote:
> > so the commands won't be traversed in the order I add them. If I start
> > with an empty chain SERVICES as above (which is followed by the DROP rule),
> > then I can later add/delete to the SERVICES chain and the packets
> > will have to traverse all the SERVICES rules before they return
> > to the default (here DROP) rule.
>
> Not sure what you mean by this.
I first set up standard rules
#start the lvs user-defined chain
iptables -N lvs
#send packets to the lvs chain
iptables -A FORWARD -i eth0 -d VIP/32 -j lvs
#reject everything the drops through the lvs chain
iptables -P FORWARD REJECT
in the body of the script I'll find that the conf file says
to setup http as an LVS'ed service. I'll then run the command
#tell the lvs chain to accept http packets
iptables -A lvs -p tcp --dport http -j ACCEPT
I'm hoping that the packet will traverse all the "lvs chain" rules
before dropping through to the default REJECT rule, even
though I didn't add the rules in the order I want them traversed.
> It seems like it might be useful to have the most commonly used port be
> the first rule so that if, for example, 95% of the traffic through the
> firewall is http on port 80, it's not the last rule in your chain that
> gets checked, causing extra overhead by running through all the
> non-matching chains.
At the moment I'll be glad if it just works and I don't freeze myself
out of my director, which happened on my first attempt yesterday :-)
But in some test situations we've done where I
> work, I've managed to pretty much saturate a 100mbps connection into an
> iptables-based firewall and a pretty hairy ruleset on a P-III 800Mhz
> with very little CPU overhead.
I'm counting on the netfilter guys to come through on this :-)
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
