Hello! Yesterday i worked hard, and optimize iptables with mangle table, ipset and iproute.
We want mark addresses (located in ipset) which should routed to another host, and another packets via another gateway.
Thats rules give us minimal resourses to serve only online clients (dynamicaly walked in NAT server, not statical created in iproute2 – how it worked before).
IPtables Pay attention in –set-xmark –> this we will use in ip rule fwmark
:PREROUTING ACCEPT [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A PREROUTING -m set --match-set realips src -j MARK --set-xmark 0x26/0xffffffff
-A PREROUTING -m state --state NEW -m set --match-set realips src -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
ip ro add default via x.x.x.x table 38
ip ru add fwmark 38 table 38
Double X5650 (w/o HT), Intel x520 SFP+ 10Gbps network card with ixgbe driver and kernel 3.9.5
Speed: IN 5.84Gbps, OUT 1.95Gbps (7.8Gbps in both directions)
CPU: 6% idle
Old Statistic (with permanently added ~500 ips in ip rule routing)
Speed: IN 1.95Gbps, OUT 730Mbps (2.7Gbps in both directions)
CPU: 57% idle