How to optimize iptables for high DNS traffic? I have a dedicated linux server acting as bridged firewall using iptables. Recently behind firewall was deployed DNS server with high load and firewall began to work slow. Some tips, how to make firewall more effective?
You should not log the allowed traffic rules, to avoid excessive logs (and so time to write logs). dns packets are small, but in outstanding numbers. You firewall may not be able to handle that number of packets per second.
does ifconfig -a reports dropped/errors/overruns/collisions ?
You can use iptraf to get the number of packets per size distribution:
You can add cpu affinity per ethernet card, to raise up the number of pps it can handle
You could be exhausting the connections table. You can use the NOTRACK option so DNS traffic won't be retain in connection tables, thus improving perf.
If you suspect iptables is burning a lot of CPU with DNS traffic, I'd suggest reorganizing the rules so that you exit the firewall tables ASAP.
Put the DNS rules at the very top of the appropriate table.
Because of the high number of connexions, if you don't need conntrack you can disable it :
iptables -t raw -I PREROUTING -j NOTRACK