iptables + ip_conntrack (required?)

I have been lurking on this group now for a while, and there does seem
to sound advice floating around. So with that, I tread into your waters
and ask for your assitance.

The setup is simple. nginx sitting on a Linux CentOS (2.6 kernel)
acting as a load balancer for a set of backend machines.

The machine is under quite a lot of network stress in terms of sockets
being setup and teared down again. We have iptables running to stop all
the nasty people in the world!

However, views seem to be divided on the ip_conntrack issue.

Some say to just increase the value if you are running out of handles.

echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max

Some say to tune the values below their defaults so sockets get cleared
out quicker:

ip_conntrack_tcp_timeout_time_wait
ip_conntrack_tcp_timeout_fin_wait

Now some people say to remove ip_conntrack completely, its not required
for web traffic, especially for web balancers as you need double the
amount of sockets (one for the incoming and another for the backend).

iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK


So my questions are:

1. Anyone have any experience with this world?
2. What is ip_conntrack really buying me for web traffic?
3. Is the NOTRACK the only way to turn off ip_conntrack?


All advice gratefully received and digested!

thanks

--
Alan Williamson
Registrationless email/sms reminders: http://yourli.st/
blog: http://alan.blog-city.com/

Hello,

Alan Williamson a écrit :
>
> Some say to just increase the value if you are running out of handles.
>
> echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
>
> Some say to tune the values below their defaults so sockets get cleared
> out quicker:
>
> ip_conntrack_tcp_timeout_time_wait
> ip_conntrack_tcp_timeout_fin_wait
>
> Now some people say to remove ip_conntrack completely, its not required
> for web traffic, especially for web balancers as you need double the
> amount of sockets (one for the incoming and another for the backend).
>
> iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK

They're all wrong. Conntrack has nothing to do with sockets. If your box
runs out of sockets, you're looking into the wrong direction.

> 2. What is ip_conntrack really buying me for web traffic?

Conntrack tracks "connections" based on the packet flows it sees. It is
necessary for address/port translation (-j DNAT, SNAT, MASQUERADE,
REDIRECT...) and stateful filtering (-m state, conntrack). If you use
neither of these, you probably don't need conntrack.

> 3. Is the NOTRACK the only way to turn off ip_conntrack?

If ip_conntrack (or nf_conntrack in "recent" kernels) is built as a
module, you can just not load it. NOTRACK is just more selective in
allowing not to track some flows.