Re: ipmasq max connections?

To: <debian-user@lists.debian.org>
Subject: Re: ipmasq max connections?
From: "nate" <debian-user@aphroland.org>
Date: Sun, 27 Oct 2002 20:16:42 -0800 (PST)
Message-id: <[🔎] 11054.216.39.174.24.1035778602.squirrel@webmail.linuxpowered.net>
In-reply-to: <[🔎] 1035776654.3dbcb28eea1b9@www.heritage.sd57.bc.ca>
References: <[🔎] 1035776654.3dbcb28eea1b9@www.heritage.sd57.bc.ca>

Mike Egglestone said:
> Hi,
> I'm wondering if ipmasq has a max connections or if it has
> a limit of the number of IP's it can masq at the same time?
>
> I would like to guess that there is no limit, or maybe the limit
> is really high, like around 65,000 or something.


if your only masqing using 1 real IP the limit of connections
is in the realm of 64,000 connections tops. Some software programs
i've read can horribly abuse their network connections causing one
app to use thousands of ports on a NAT server. I reccomend
monitoring your users and/or using mutliple IPs to NAT. I am not
certain how this is done in Linux(haven't tried) but it is possible
in freebsd using ipfw and ipf(ipf works on other commercial unixes
as well).

If theres a lot of web traffic a good way to cut down on ports in
use is to use a proxy server and force all traffic through it(the
proxy would probably have to run on the NAT server itself for it
to not consume NAT entries). You can do this using transparent
proxy setups(pretty easy to do).

you don't mention what kernel your using, but at least under
linux 2.2(not sure about 2.4) you can list your NAT'd connections
by doing:

netstat -M

sample output:
P masquerading entries
prot   expire source               destination          ports
tcp 240:00.00 aphro.aphroland.org  www8.dcx.yahoo.com   2646 -> www (61947)
icmp  0:42.53 sentry.aphroland.org penguin.linuxpowered.net 36961 -> 8 (61946)

Again, using ipchains(haven't used linux 2.4 myself much) you can
also adjust the time a connection is allowed to be maintained using:

/sbin/ipchains -M -S 14400 600 600

(see the manpage/docs for details)

the shorter the limit the quicker NAT connections will get terminated
and the more new connecitons can be made. Note the above settings
are for a VERY VERY long limit since my network usually has 1 or 2
machines accessing the net at any given point(infact when I went
to run netstat -M I had to trigger some NAT activity because my
NAT tables were empty)

I also reccomend tracking open connections on the system as well
as an indication. I use this SNMP variable: .1.3.6.1.2.1.6.9.0 which
when shoved into MRTG spits out a nice graph like:
http://mrtg.aphroland.org/portal.aphroland.org/portal.aphroland.org.tcpopen.html
I plan to make available extensive docs on how to put MRTG to good
use soon so if your interested, keep an eye out.

nate


nate

Reply to:

References:
- ipmasq max connections?
  - From: Mike Egglestone <megglestone@heritage.sd57.bc.ca>

Prev by Date: Re: two more architectures?
Next by Date: Re: Why debian sucks.
Previous by thread: ipmasq max connections?
Next by thread: Re: ipmasq max connections?
Index(es):
- Date
- Thread