I am using ufw on a high traffic webserver (lot of http/https traffic) on ubuntu (12.04 or 14.04).
I tried tuning kernel parameters related to connection tracking with some success.
However, thinking about it, I don't do NAT, therefore I don't think I need connection tracking at least for the connections on port 80 or 443.
I tried following the directions from this question with adaptations, that is:
sudo iptables -t raw -A PREROUTING -p tcp --dport 80 -j NOTRACK
and my raw table looks like:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
NOTRACK tcp -- anywhere anywhere tcp dpt:http
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
To test that it all works, I request an nginx instance on the machine using wrk using 3 threads and 1000 connections .
wrk -t 3 -c 1000 "http://<server_ip>/"
As those are not supposed to be tracked, I should not see them on the conntrack count
However, I do…
sudo sysctl -A | grep net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 1035
I can clearly see this value going up and down as I run the test.
What am I doing wrong?
Best Answer
You need an OUTPUT rule, too.