I found a new trick in iptables I wasn't aware of. Turns out iptables tracks all connections, even ones that are not going to be NAT'd. On a busy webserver or router this means iptables is wasting resources tracking connections when it should be just routing.
The raw table in iptables can be used to set a NOTRACK flag on a packet, and that packet will not traverse the ip_conntrack stuff.
So for a busy webserver, you could disable tracking for web connection states:
Or on a machine that is routing between several internal networks and also NATing external connections you could disable tracking for the internal to internal stuff.
On one of our core Linux routers the number of ip_conntrack entries dropped from an average of 65-70k down to about 2k.
The raw table in iptables can be used to set a NOTRACK flag on a packet, and that packet will not traverse the ip_conntrack stuff.
So for a busy webserver, you could disable tracking for web connection states:
iptables -t raw -A PREROUTING -d <server IP> -p tcp --dport 80 -j NOTRACK iptables -t raw -A PREROUTING -s <server IP> -p tcp --sport 80 -j NOTRACK
Or on a machine that is routing between several internal networks and also NATing external connections you could disable tracking for the internal to internal stuff.
iptables -t raw -A PREROUTING -s 172.16.0.0/16 -d 172.16.0.0/16 -j NOTRACK
On one of our core Linux routers the number of ip_conntrack entries dropped from an average of 65-70k down to about 2k.
