0

Iptables can be optimized by putting the mostly used rule on the top such as the known related rule that matches after connection establishment. Also, optimization can be done by using jumps to avoid very long chains. This link shows an example.

My question is about optimizing the rule itself. How the performance will be by adding and/or deleting some checks in a specific rule? What about the order of these checks? For example, this rule:

iptables -A FORWARD -i eth0 -s source_ip -d dest_ip -p tcp --dport 80 -j ACCEPT

can be rewritten as:

iptables -A FORWARD -s source_ip -d dest_ip -p tcp --dport 80 -j ACCEPT

Both rules will allow http traffic from specific source to specific destination. Do you think there will be a performance difference between the two? Also, the checks can be re-ordered as:

iptables -A FORWARD -p tcp --dport 80 -s source_ip -d dest_ip -i eth0 -j ACCEPT

Will this also make a difference or iptables will automatically take care of it.

Khaled
  • 36,533
  • 8
  • 72
  • 99

3 Answers3

1

no, as you're just reordering strings that are fed to the command options parser.

pfo
  • 5,700
  • 24
  • 36
0

iptables -A FORWARD -i eth0 -s source_ip -d dest_ip -p tcp --dport 80 -j ACCEPT

and

iptables -A FORWARD -p tcp --dport 80 -s source_ip -d dest_ip -i eth0 -j ACCEPT

create system call iptc_append_entry() with the same arguments.

iptables -A FORWARD -s source_ip -d dest_ip -p tcp --dport 80 -j ACCEPT

create system call iptc_append_entry() with other ipt_entry struct(without iniface)... I think the performance will not change

alvosu
  • 8,437
  • 25
  • 22
0

Whenever in doubt, enter the iptables line you're investigating, and do an iptables-save | less afterwards.

pepoluan
  • 5,038
  • 4
  • 47
  • 72