Shulou(Shulou.com)06/01 Report--

Summary of Speed limit Test of iptables

First, a brief introduction to iptables

Iptables is used to set, maintain, and examine the IP packet filtering rules of the Linux kernel.

When filtering packets, iptables follows certain rules, these rules are stored in the information filter table, and the firewall will deal with the packet accordingly according to the rules in these tables; in these information filter tables, the rules are actually delegated to the corresponding chain; iptables is a tool that can add, modify and delete rules to these information filter tables.

It is divided into two modules, one is that netfilter and iptables;netfilter are the modules of the firewall, mainly some information filter tables in the kernel space, and iptables is the tool for managing netfilter.

II. Tables and chains of iptables

Iptables is mainly composed of three tables, namely filter, nat and mangle. There are different chains in each table, and we mainly write the definition rules (policies) on the chain in the table.

The default is not specified is to use the filter table, which mainly includes three chains: INPUT chain, forward chain and OUTPUT chain

INPUT chains are mainly used to process packets sent to themselves, that is, the destination address of the packet is its own. Take some actions on these packets by defining some rules of the INPUT chain.

FORWARD chain is mainly used to deal with packets passing through itself, that is, the packet passes through itself, but the source address and destination address are not their own, so take corresponding actions for these packets.

The main purpose of the OUTPUT chain is to deal with the packets generated by itself, that is, the source address is its own, to take corresponding actions through the rules on the chain.

Here is a brief description of the relationship between the three chains:

When the packet arrives, it is judged first, and then you choose whether to handle the INPUT chain or the FORWARD chain, and when you go out, you will determine whether the OUTPUT chain needs to be processed.

Third, the actions on the iptables chain

There are many actions that can be performed on the chain, such as ACCEPT, DROP, REJECT

ACCEPT: allows packets that meet rule conditions to pass through

DROP: discards packets and returns no information

REJECT: discards packets and returns rejected information

4. Description of command parameters of iptables

The following is a brief description of the detailed parameters of the iptables command:

-t (table) specify the table

-A (append) append, the newly added rule (policy) is generally appended to the end rule on the chain in the table

-I (insert) add a number after the chain to specify the rule to be added to the corresponding line. The default is the front of all rules.

-L (list) viewing rules can be viewed more obviously by adding-n and-v parameters.

-F (flush) clears all rules

-D (delete) deleting a rule can be deleted by specifying the rule sequence number on the corresponding chain.-- line-numbers can view

Match some conditional parameters of the packet:

-I enter the network card

-O the network card that goes out

-s ip source address IP

-d ip destination address IP

-- dport port number destination port number

-- sdport port number source port number

Fifth, the matching order of iptables rules.

When packets pass through the firewall, they have to match policies sequentially, matching from top to bottom. If a packet does not comply with a certain rule, it will be processed by the following rules. If it does not match, it will be processed by the default policy.

VI. Actual offline testing

1) Environment

The following is my own offline testing environment and the rules I wrote:

Environment: 3 redhat6.5 (VM virtual machines)

2) defined rules

Write the following rules on the machine that turns on iptables, so that we can explain it according to the rules actually written:

# iptables-I FORWARD 1-p tcp-I eth0-o eth2-s 192.168.2.3-d 192.168.3.3-dport 80-m limit--limit=500/s-- limit-burst=1000-j ACCEPT

This rule is: allow forwarding of inbound source IP of 192.168.2.3 from eth0 to access packets of port 80 (that is, http service) with destination IP of 192.168.3.3 out of eth2, where the rate of packets is matched, forwarding 500packets per second, and the initial burst value is 1000

# iptables-I FORWARD 2-p tcp-I eth2-o eth0-s 192.168.3.3-d 192.168.2.3-dport 80-m limit--limit=500/s-- limit-burst=1000-j ACCEPT

This rule is: allow forwarding of inbound source IP of 192.168.3.3 from eth2 to access packets of port 80 (that is, http service) with destination IP of 192.168.2.3 out of eth0, where the rate of packets is matched, forwarding 500packets per second, and the initial burst value is 1000

# iptables-A FORWARD-p tcp-I eth0-o eth2-s 192.168.2.3-d 192.168.3.3-- dport 80-j DROP

This is to discard port 80 (that is, http service) packets that come in from eth0 with a source IP of 192.168.2.3 and a destination IP of 192.168.3.3 out of eth2.

# iptables-A FORWARD-p tcp-I eth2-o eth0-s 192.168.3.3-d 192.168.2.3-- dport 80-j DROP

This is to discard port 80 (that is, http service) packets that come in from eth2 with a source IP of 192.168.3.3 and a destination IP of 192.168.2.3 out of eth0.

3) related explanation of limit

The realization of the speed limit depends on the limit rule, and the two rules (ACCEPT and DROP) cooperate with each other. By limiting the number of matching packets per second and dealing with the excess by the corresponding DROP rules, the iptables speed limit is realized.

-- limit 500 inch s means 500 times per second; 1 inch means one time per minute.

-- limit-burst indicates the maximum number of times limit restrictions are allowed to be triggered (preset 5)

The-- limit-burst=1000 here is equivalent to saying that at the beginning I have 1000 matching packets to forward, and then the number of packets I match is limited according to-- limit=500/s, that is, a limit of 500 packets per second, and the excess will be dealt with and discarded by the following DROP rules, thus realizing the problem of packet speed limit.

Exactly speaking, the word "limit" here should be "match at a certain rate". As for "limit" or "release" is realized by the later-j action, limit is only a match module, its function is to match, and the matching mode is at a certain rate. Using the limit module of iptables, the target is ACCEPT. When you set 300max, it issues about one token per 3ms, the packet that gets the token can be sent out, and the packet that does not get the token can only wait for the next token to arrive, so it will not cause some packets to be lost, let alone the so-called "disconnected"

4) display the actual generation rules

The actual generated rules are as follows. Generally, the written rules are put in memory, and the restart will be cleared. You can save the defined rules through service iptables save, so the restart will still exist.

5) Test data

The following are the results of some offline test speed limits for reference only, based on the actual stable speed online:

The test command passes: wget http://192.168.2.3/filename

List the relevant data-- limit=1000/s-- limit-burst=1000:

2016-08-2214 MB/s 4931 (55.4 MB/s)-"1m" saved [1048576amp 1048576]

2016-08-2214 4931 (140 MB/s)-"10m" saved [10485760 amp 10485760]

2016-08-2214 MB/s 4933 (23.7mm)-"50m" saved [52428800pm]

2016-08-2214 MB/s 4936 (40.0 MB/s)-"100m" saved [104857600amp 104857600]

2016-08-2214 50 MB/s 05 (34.8 MB/s)-"1G" saved [1073741824deband 1073741824]

2016-08-2214 MB/s 5215 (39.7 MB/s)-"5G" saved [5368709120]

2016-08-2214 MB/s 5215 (37.4 MB/s)-"1m" saved [1048576hand 1048576]

2016-08-2214 MB/s 52 15 (33.4mm)-"10m" saved [10485760max 10485760]

2016-08-2214 MB/s 52 MB/s-"50m" saved [52428800mer 52428800]

2016-08-2214 MB/s 52 (54.6 MB/s)-"100m" saved [104857600ash 104857600]

2016-08-2214 52 MB/s 40 (46.9 MB/s)-"1G" saved [1073741824deband 1073741824]

2016-08-2214 55 MB/s 02 (36.1 MB/s)-"5G" saved [5368709120 Universe 5368709120]

2016-08-2214 55 MB/s 02 (35. 3 MB/s)-"1m" saved [1048576 hand 1048576]

2016-08-2214 55 MB/s 02 (35. 0 MB/s)-"10m" saved [10485760 hand 10485760]

2016-08-2214 MB/s 5540 (37.4 MB/s)-"50m" saved [52428800pm]

2016-08-2214 MB/s 5515 (58.6 MB/s)-"100m" saved [104857600amp 104857600]

2016-08-2214 55 MB/s 29 (42.8 MB/s)-"1G" saved [1073741824deband 1073741824]

2016-08-2214 MB/s 57 24 (44.6)-"5G" saved [5368709120 Action5368709120]

Finally, here are some of the iptables speed limits I tested after changing the relevant parameters:

6) Analysis

Through the analysis of the above data, we can know that the speed limit using iptables is mainly achieved by using the limit module of iptables to match data packets, thus realizing the speed limit.-- limit=match, which limits the rate of matching packets, in other words, how many packets can be forwarded per second, which is the most important parameter for speed limit on iptables. By formulating it, you can basically determine the rate limit to be controlled. -- limit-burst is the maximum number of times the limit limit is allowed to be triggered. The default is 5; that is, the first five packets will be forwarded directly, and the burst will be reduced to 0, and the incoming packets will be thrown to the next rule for processing (set to DROP here), and will not continue to match and forward until the limit parameter generates a new token.

To put it simply, the most important thing about the speed limit is how many tokens limit and burst,burst initially have to forward packets, and then limit will match by rate, which is equivalent to replenishing the number of tokens by time. When the first rule reaches the rate limit, the remaining packets will be thrown to the next rule for processing. Our next corresponding rule is DROP, so the remaining packets will be discarded, thus achieving the speed limit.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.