We help IT Professionals succeed at work.
Get Started

IPtables performance drops when being access by two Source IP's

393 Views
Last Modified: 2014-06-26
Hi we have setup IPtables as per below.

The problem is that after a certain level of load around 9k Per source IP (We have Load coming from two source IP's) It suddenly looks like it gets rate limited.

we have check many setting but must be missing something..,,

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    VIP-0002   all  --  0.0.0.0/0            10.4.8.112          [goto] /* VIP-0002 */
2    VIP-0003   all  --  0.0.0.0/0            10.4.8.113          [goto] /* VIP-0003 */

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    PR-0002-0001-0001  tcp  --  0.0.0.0/0            10.4.8.201          [goto] tcp dpt:83 state NEW
2    PR-0003-0001-0001  tcp  --  0.0.0.0/0            10.4.8.203          [goto] tcp dpt:83 state NEW
3    PR-0003-0001-0002  tcp  --  0.0.0.0/0            10.4.8.203          [goto] tcp dpt:83 state NEW
4    PR-0003-0001-0003  tcp  --  0.0.0.0/0            10.4.8.203          [goto] tcp dpt:83 state NEW
5    PR-0003-0001-0004  tcp  --  0.0.0.0/0            10.4.8.203          [goto] tcp dpt:83 state NEW
6    PR-0002-0001-0002  tcp  --  0.0.0.0/0            10.4.8.201          [goto] tcp dpt:83 state NEW
7    PR-0003-0001-0005  tcp  --  0.0.0.0/0            10.4.8.203          [goto] tcp dpt:83 state NEW

Chain PR-0002-0001-0001 (1 references)
num  target     prot opt source               destination
1    SNAT       all  --  0.0.0.0/0            0.0.0.0/0           /* PR-RIP-0002-0001-0001 */ to:10.4.8.11

Chain PR-0002-0001-0002 (1 references)
num  target     prot opt source               destination
1    SNAT       all  --  0.0.0.0/0            0.0.0.0/0           /* PR-RIP-0002-0001-0002 */ to:10.4.8.11

Chain PR-0003-0001-0001 (1 references)
num  target     prot opt source               destination
1    SNAT       all  --  0.0.0.0/0            0.0.0.0/0           /* PR-RIP-0003-0001-0001 */ to:10.4.8.11

Chain PR-0003-0001-0002 (1 references)
num  target     prot opt source               destination
1    SNAT       all  --  0.0.0.0/0            0.0.0.0/0           /* PR-RIP-0003-0001-0002 */ to:10.4.8.11

Chain PR-0003-0001-0003 (1 references)
num  target     prot opt source               destination
1    SNAT       all  --  0.0.0.0/0            0.0.0.0/0           /* PR-RIP-0003-0001-0003 */ to:10.4.8.11

Chain PR-0003-0001-0004 (1 references)
num  target     prot opt source               destination
1    SNAT       all  --  0.0.0.0/0            0.0.0.0/0           /* PR-RIP-0003-0001-0004 */ to:10.4.8.11

Chain PR-0003-0001-0005 (1 references)
num  target     prot opt source               destination
1    SNAT       all  --  0.0.0.0/0            0.0.0.0/0           /* PR-RIP-0003-0001-0005 */ to:10.4.8.11

Chain RIP-RR-0002-0001-0001 (1 references)
num  target     prot opt source               destination
1    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Removes VSR-RR-0002-0001 from LB-RR-0002-0001-0001 */ del-set LB-RR-0002-0001-0001 dst
2    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Adds VSR-RR-0002-0001 to LB-RR-0002-0001-0002 */ add-set LB-RR-0002-0001-0002 dst
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           /* PREROUTING: VSR-RR-0002-0001 LB-RR-0002-0001-0001 */ to:10.4.8.201:83

Chain RIP-RR-0002-0001-0002 (1 references)
num  target     prot opt source               destination
1    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Removes VSR-RR-0002-0001 from LB-RR-0002-0001-0002 */ del-set LB-RR-0002-0001-0002 dst
2    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Adds VSR-RR-0002-0001 to LB-RR-0002-0001-0001 */ add-set LB-RR-0002-0001-0001 dst
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           /* PREROUTING: VSR-RR-0002-0001 LB-RR-0002-0001-0002 */ to:10.4.8.201:83

Chain RIP-RR-0003-0001-0001 (1 references)
num  target     prot opt source               destination
1    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Removes VSR-RR-0003-0001 from LB-RR-0003-0001-0001 */ del-set LB-RR-0003-0001-0001 dst
2    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Adds VSR-RR-0003-0001 to LB-RR-0003-0001-0005 */ add-set LB-RR-0003-0001-0005 dst
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           /* PREROUTING: VSR-RR-0003-0001 LB-RR-0003-0001-0001 */ to:10.4.8.203:83

Chain RIP-RR-0003-0001-0002 (1 references)
num  target     prot opt source               destination
1    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Removes VSR-RR-0003-0001 from LB-RR-0003-0001-0002 */ del-set LB-RR-0003-0001-0002 dst
2    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Adds VSR-RR-0003-0001 to LB-RR-0003-0001-0001 */ add-set LB-RR-0003-0001-0001 dst
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           /* PREROUTING: VSR-RR-0003-0001 LB-RR-0003-0001-0002 */ to:10.4.8.203:83

Chain RIP-RR-0003-0001-0003 (1 references)
num  target     prot opt source               destination
1    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Removes VSR-RR-0003-0001 from LB-RR-0003-0001-0003 */ del-set LB-RR-0003-0001-0003 dst
2    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Adds VSR-RR-0003-0001 to LB-RR-0003-0001-0002 */ add-set LB-RR-0003-0001-0002 dst
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           /* PREROUTING: VSR-RR-0003-0001 LB-RR-0003-0001-0003 */ to:10.4.8.203:83

Chain RIP-RR-0003-0001-0004 (1 references)
num  target     prot opt source               destination
1    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Removes VSR-RR-0003-0001 from LB-RR-0003-0001-0004 */ del-set LB-RR-0003-0001-0004 dst
2    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Adds VSR-RR-0003-0001 to LB-RR-0003-0001-0003 */ add-set LB-RR-0003-0001-0003 dst
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           /* PREROUTING: VSR-RR-0003-0001 LB-RR-0003-0001-0004 */ to:10.4.8.203:83

Chain RIP-RR-0003-0001-0005 (1 references)
num  target     prot opt source               destination
1    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Removes VSR-RR-0003-0001 from LB-RR-0003-0001-0005 */ del-set LB-RR-0003-0001-0005 dst
2    SET        all  --  0.0.0.0/0            0.0.0.0/0           /* Adds VSR-RR-0003-0001 to LB-RR-0003-0001-0004 */ add-set LB-RR-0003-0001-0004 dst
3    DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           /* PREROUTING: VSR-RR-0003-0001 LB-RR-0003-0001-0005 */ to:10.4.8.203:83

Chain VIP-0002 (1 references)
num  target     prot opt source               destination
1    VSR-RR-0002-0001  tcp  --  0.0.0.0/0            0.0.0.0/0           [goto] tcp dpt:80 state NEW /* RR-0002-0001 */

Chain VIP-0003 (1 references)
num  target     prot opt source               destination
1    VSR-RR-0003-0001  tcp  --  0.0.0.0/0            0.0.0.0/0           [goto] tcp dpt:80 state NEW /* RR-0003-0001 */

Chain VSR-RR-0002-0001 (1 references)
num  target     prot opt source               destination
1    RIP-RR-0002-0001-0002  all  --  0.0.0.0/0            0.0.0.0/0           [goto] match-set LB-RR-0002-0001-0002 dst /* RR-NEXT-0001 DNAT to RIPip:10.4.8.201 RIPport:83 */
2    RIP-RR-0002-0001-0001  all  --  0.0.0.0/0            0.0.0.0/0           [goto] /* RR-NEXT-0002 DNAT to RIPip:10.4.8.201 RIPport:83 */

Chain VSR-RR-0003-0001 (1 references)
num  target     prot opt source               destination
1    RIP-RR-0003-0001-0005  all  --  0.0.0.0/0            0.0.0.0/0           [goto] match-set LB-RR-0003-0001-0005 dst /* RR-NEXT-0004 DNAT to RIPip:10.4.8.203 RIPport:83 */
2    RIP-RR-0003-0001-0004  all  --  0.0.0.0/0            0.0.0.0/0           [goto] match-set LB-RR-0003-0001-0004 dst /* RR-NEXT-0003 DNAT to RIPip:10.4.8.203 RIPport:83 */
3    RIP-RR-0003-0001-0003  all  --...
Comment
Watch Question
Top Expert 2015
Commented:
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE