IRC Logs

Network: freenode Channel: #iptables

	Enter your search terms Submit search form
	Web www.irclog.org

[09:49]<scrgn>*panic*
[09:54]<rnryv>skane: yes
[09:55]<scrgn>i meant -L
[09:55]<scrgn>but L looks so similar to F somehow :-/
[09:55]<scrgn>i will have to find out how to reboot
[09:56]<scrgn>as a dyslexis i maybe should be a truck driver not a webmaster
[10:31]<scrgn>I rebooted the machine and everything fine again
[12:53]<-- svgvsdyzgjvr xrs>/dev/null")
[13:31]<sym>Some people are claiming that modifying the network buffers(not touching mtu); will increase speeds from a .us 100mbit to a european site. The current speeds are 200kbps; and they say if I increase the network buffers in /etc/sysctl.conf that it will go to 3 megs a second.
[13:32]<sym>Anyone think this is possible/likely? or are they fos?
[13:33]<rlraxne>na
[13:33]<rlraxne>depends
[13:33]<sym>Apachez: depends on what?
[13:33]<rlraxne>most likely is that your isp has bad transit to rest of the workd
[13:33]<rlraxne>but other from that...
[13:33]<rlraxne>rising windowsizes and interruptbuffers is usually a good idea no matter of if the connection goes 1 hop or 200 hops
[13:34]<rlraxne>you can take a look at my settings for 100/100 at http://www.tbg.nu/iptables.txt
[13:34]<sym>Apachez: Why do all GNU / Linux operating systems come with lower network buffers..if increasing them makes speeds so much faster?
[13:35]<rlraxne>dunno
[13:35]<rlraxne>i am too a bit "angry" that they are still using default settings back from 1985 where the fastest connection was 33.6kbit modems
[13:35]<rlraxne>I saw once a benchmark test of a p2p connection (1 hop) where they compared default settings with modified settings for gbit network
[13:36]<rlraxne>without touching mtu
[13:36]<rlraxne>the speed went from approx 150mbit to 700 mbit just by chainging txqueuelen and windowsizes
[13:36]<rlraxne>and then another boost when using jumboframes (9000 instead of 1500)
[13:36]<sym>damn; yea they're claiming speeds like this.
[13:37]<sym>Especially from one country to another.
[13:37]<rlraxne>you can also check the land speed record settings
[13:37]<sym>ie; asia to .us; and .eu to .us
[13:37]<rlraxne>those are a bit extreme but still
[13:37]<rlraxne>they use stuff like 100 meg for windowsize :P
[13:39]<sym>Why does barely no one use these techniques?
[13:43]<rlraxne>we are :P
[13:43]<rlraxne>the stupid thing is that the default settings havent changed
[13:43]<rlraxne>most likely because they are supposed to be conservative
[13:43]<rlraxne>like if linux supports 386 it should work on a 386 with 1 meg ram aswell
[13:44]<rlraxne>and on such machine it would be a bit problematic to allow windowsize of 8 meg
[13:44]<sym>Does it increase latency? Maybe they want to maintain a certain amount of low latency?
[13:45]<rlraxne>most likely lower latency somewhat because packets wont need to be retransmitted as often
[13:47]<rlraxne>I would like to see the kernel be optimized for say at least 100mbit from scratch
[13:47]<rlraxne>and then have a kernel option when you boot which could lower the settings to "old default"
[13:47]<rlraxne>or perhaps have a couple of preconfigurated modes
[13:48]<rlraxne>like 10mbit, 100mbit, 1gbit, 10ge
[13:48]<sym>yea; that'd be nice.
[13:48]<rlraxne>where default would be 100mbit and with kernel param at boot (or after boot via proc) set it to another default value
[13:48]<sym>Have the GNU / Linux distribution automatically figure out the pipe / RAM; and adjust properly.
[13:48]<rlraxne>this way you wouldnt have to spend 40 hours to read all sort of opinions what are "good" values and test them yourself back and forth
[13:50]<sym>I'm in .us; and my server is in .us; I'm on a 10mbit down; but I only get 500 kbps from this server; You think if I modify network buffers it will increase my speed?
[13:50]<rlraxne>you could test ?
[13:50]<sym>My pipe doesn't seem to be saturated. I'll spike at 1.5 megs a second sometimes. 900 kbps steady on a good connection
[13:50]<rlraxne>you can try my settings and see if they help
[13:50]<rlraxne>if not just reboot :P
[13:50]<sym>Are those for a 100mbit?
[13:51]<sym>it's athlon 2800+ 512 megs of RAM; and 100mbit pipe from layeredtech
[13:51]<rlraxne>yup 100mbit
[13:51]<sym>And I use probably 100 megs of RAM; and the rest is free.
[13:51]<rlraxne>what i noticed with these settings was that the traffic had a better flow
[13:51]<rlraxne>previous settings gave me more spikes in the graphs when i did a benchmark
[13:52]<rlraxne>the new settings will go upp to 100mbit directly and basically stay there
[13:52]<rlraxne>the benchmark starts with small chunks and works its way up to 1gbyte transfer
[14:34]<sym>Apachez: http://www.rafb.net/paste/results/Nhl26X68.html
[14:34]<sym>Are those settings good for a 100mbit pipe?
[14:35]<rlraxne>you could try them
[14:35]<rlraxne>regarding mem settings i think it can be bad to force a single windowsize
[14:36]<sym>I did try them; and they didn't improve anything.
[14:36]<rlraxne>specially since not everyone has 40 meg in windowsize
[14:36]<sym>I have those settings in /etc/sysctl.conf; and I typed "sysctl -p" as root
[14:38]<sym>eh; I know nothing about these settings Apachez; Someone told me to try them. They told me BIG speed increases. So I did. heh. But I don't notice any difference in speed. Neither do 7 others; 2 from .eu cable isps; and 2 from .us cable isps; and 3 from .us 100mbit
[15:04]<rlraxne>sid: that is because in your case the problem is your isp's transit
[15:05]<rlraxne>the tcp settings are more visable when you test them p2p
[15:22]<byffyngdjjn>hi folks
[15:22]<byffyngdjjn>anyone know if is possible to redirect one traffic to your source ?
[15:23]<byffyngdjjn>like, if I receive one packet from gmail.com, is there a way (using DNAT), to send the packet back to gmail.com ??
[15:23]<byffyngdjjn>iptables -t nat -A PREROUTING -s gmail.com -d me.com -j DNAT gmail.com
[15:23]<byffyngdjjn>its works ??
[15:25]<rlraxne>using dns is a bad option
[15:25]<rlraxne>use ips instead
[15:25]<byffyngdjjn>Apachez, ok, but with IP, works ?
[15:25]<rlraxne>if you want to send traffic back then use -j MIRROR
[15:27]<byffyngdjjn>mirror is experimental yeat ... its really woks ??
[15:28]<rlraxne>or just -j REJECT
[15:28]<rlraxne>proper is otherwise just -j DROP
[15:35]<byffyngdjjn>Apachez, ok, thanks
[18:01]<byffyngdjjn>Apachez, about the IP limit module, if I want to limit to max 5 connections from a IP, I 'll use iptables -t nat -A PREROUTING -p tcp --syn --dport 80 -m iplimit-above 5 -j DROP ??
[18:05]<ggwvjgw>hi, quick question, via ssh i wanna configure to drop all packets and only accept WWW/SSH
[18:05]<ggwvjgw>iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
[18:05]<ggwvjgw>iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
[18:05]<ggwvjgw>iptables -P INPUT DROP
[18:06]<ggwvjgw>but this blocks everything out, how should i go about fixing it?
[18:15]<rlraxne>you need also an output rule
[18:15]<rlraxne>lets say you have DROP as default for INPUT, OUTPUT and FORWARD
[18:15]<rlraxne>sure the iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT will allow new incoming packets, but the reply will be dropped
[18:15]<rlraxne>so you need something like
[18:16]<rlraxne>-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
[18:21]<ggwvjgw>so i should add the output first before iptables -P INPUT DROP
[18:21]<ggwvjgw>that way i wont get kicked out?
[19:34]<vrgfuysx>sup guys

Back to #iptables
Or go to some related logs:
#gentoo
#blender
#gentoo
#python
#python