最近测试了下,iptables有很多的filter input规则的情况下,会对mysql本身的性能的影响.
数据准备:
创建iptable filter 规则
iptables -t filter -N RULEADMINiptables -t filter -I RULEADMIN -s 10.250.14.0/24 -j ACCEPTiptables -t filter -I RULEADMIN -s 10.242.232.0/24 -j ACCEPTiptables -t filter -A RULEADMIN -j DROPiptables -t filter -N RULE3000
iptables -t filter -I RULE3000 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3000 -j RULEADMIN
iptables -t filter -N RULE3001
iptables -t filter -I RULE3001 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3001 -j RULEADMIN
iptables -t filter -N RULE3002
iptables -t filter -I RULE3002 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3002 -j RULEADMIN
iptables -t filter -N RULE3003
iptables -t filter -I RULE3003 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3003 -j RULEADMIN
iptables -t filter -N RULE3004
iptables -t filter -I RULE3004 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3004 -j RULEADMIN
iptables -t filter -N RULE3005
iptables -t filter -I RULE3005 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3005 -j RULEADMIN
iptables -t filter -N RULE3006
iptables -t filter -I RULE3006 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3006 -j RULEADMIN
iptables -t filter -N RULE3007
iptables -t filter -I RULE3007 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3007 -j RULEADMIN
iptables -t filter -N RULE3008
iptables -t filter -I RULE3008 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3008 -j RULEADMIN
iptables -t filter -N RULE3009
iptables -t filter -I RULE3009 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3009 -j RULEADMIN
iptables -t filter -N RULE3010
iptables -t filter -I RULE3010 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3010 -j RULEADMIN
iptables -t filter -N RULE3011
iptables -t filter -I RULE3011 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3011 -j RULEADMIN
iptables -t filter -N RULE3012
iptables -t filter -I RULE3012 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3012 -j RULEADMIN
iptables -t filter -N RULE3013
iptables -t filter -I RULE3013 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3013 -j RULEADMIN
iptables -t filter -N RULE3014
iptables -t filter -I RULE3014 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3014 -j RULEADMIN
iptables -t filter -N RULE3015
iptables -t filter -I RULE3015 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3015 -j RULEADMIN
iptables -t filter -N RULE3016
iptables -t filter -I RULE3016 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3016 -j RULEADMIN
iptables -t filter -N RULE3017
iptables -t filter -I RULE3017 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3017 -j RULEADMIN
iptables -t filter -N RULE3018
iptables -t filter -I RULE3018 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3018 -j RULEADMIN
iptables -t filter -N RULE3019
iptables -t filter -I RULE3019 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3019 -j RULEADMIN
iptables -t filter -N RULE3020
iptables -t filter -I RULE3020 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3020 -j RULEADMIN
iptables -t filter -N RULE3021
iptables -t filter -I RULE3021 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3021 -j RULEADMIN
iptables -t filter -N RULE3022
iptables -t filter -I RULE3022 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3022 -j RULEADMIN
iptables -t filter -N RULE3023
iptables -t filter -I RULE3023 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3023 -j RULEADMIN
iptables -t filter -N RULE3024
iptables -t filter -I RULE3024 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3024 -j RULEADMIN
iptables -t filter -N RULE3025
iptables -t filter -I RULE3025 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3025 -j RULEADMIN
iptables -t filter -N RULE3026
iptables -t filter -I RULE3026 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3026 -j RULEADMIN
iptables -t filter -N RULE3027
iptables -t filter -I RULE3027 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3027 -j RULEADMIN
iptables -t filter -N RULE3028
iptables -t filter -I RULE3028 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3028 -j RULEADMIN
iptables -t filter -N RULE3029
iptables -t filter -I RULE3029 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3029 -j RULEADMIN
iptables -t filter -N RULE3030
iptables -t filter -I RULE3030 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3030 -j RULEADMIN
iptables -t filter -N RULE3031
iptables -t filter -I RULE3031 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3031 -j RULEADMIN
iptables -t filter -N RULE3032
iptables -t filter -I RULE3032 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3032 -j RULEADMIN
iptables -t filter -N RULE3033
iptables -t filter -I RULE3033 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3033 -j RULEADMIN
iptables -t filter -N RULE3034
iptables -t filter -I RULE3034 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3034 -j RULEADMIN
iptables -t filter -N RULE3035
iptables -t filter -I RULE3035 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3035 -j RULEADMIN
iptables -t filter -N RULE3036
iptables -t filter -I RULE3036 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3036 -j RULEADMIN
iptables -t filter -N RULE3037
iptables -t filter -I RULE3037 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3037 -j RULEADMIN
iptables -t filter -N RULE3038
iptables -t filter -I RULE3038 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3038 -j RULEADMIN
iptables -t filter -N RULE3039
iptables -t filter -I RULE3039 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3039 -j RULEADMIN
iptables -t filter -N RULE3040
iptables -t filter -I RULE3040 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3040 -j RULEADMIN
iptables -t filter -N RULE3041
iptables -t filter -I RULE3041 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3041 -j RULEADMIN
iptables -t filter -N RULE3042
iptables -t filter -I RULE3042 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3042 -j RULEADMIN
iptables -t filter -N RULE3043
iptables -t filter -I RULE3043 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3043 -j RULEADMIN
iptables -t filter -N RULE3044
iptables -t filter -I RULE3044 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3044 -j RULEADMIN
iptables -t filter -N RULE3045
iptables -t filter -I RULE3045 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3045 -j RULEADMIN
iptables -t filter -N RULE3046
iptables -t filter -I RULE3046 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3046 -j RULEADMIN
iptables -t filter -N RULE3047
iptables -t filter -I RULE3047 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3047 -j RULEADMIN
iptables -t filter -N RULE3048
iptables -t filter -I RULE3048 -s 10.1.147.147 -j ACCEPT
iptables -t filter -A RULE3048 -j RULEADMIN
iptables -t filter -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -t filter -I INPUT 2 -d 10.1.154.0 -p tcp --dport 3000 -j RULE3001
iptables -t filter -I INPUT 2 -d 10.1.154.1 -p tcp --dport 3001 -j RULE3002
iptables -t filter -I INPUT 2 -d 10.1.154.2 -p tcp --dport 3002 -j RULE3003
iptables -t filter -I INPUT 2 -d 10.1.154.3 -p tcp --dport 3003 -j RULE3004
iptables -t filter -I INPUT 2 -d 10.1.154.4 -p tcp --dport 3004 -j RULE3005
iptables -t filter -I INPUT 2 -d 10.1.154.5 -p tcp --dport 3005 -j RULE3006
iptables -t filter -I INPUT 2 -d 10.1.154.6 -p tcp --dport 3006 -j RULE3007
iptables -t filter -I INPUT 2 -d 10.1.154.7 -p tcp --dport 3007 -j RULE3008
iptables -t filter -I INPUT 2 -d 10.1.154.8 -p tcp --dport 3008 -j RULE3009
iptables -t filter -I INPUT 2 -d 10.1.154.9 -p tcp --dport 3009 -j RULE3010
iptables -t filter -I INPUT 2 -d 10.1.154.10 -p tcp --dport 3010 -j RULE3011
iptables -t filter -I INPUT 2 -d 10.1.154.11 -p tcp --dport 3011 -j RULE3012
iptables -t filter -I INPUT 2 -d 10.1.154.12 -p tcp --dport 3012 -j RULE3013
iptables -t filter -I INPUT 2 -d 10.1.154.13 -p tcp --dport 3013 -j RULE3014
iptables -t filter -I INPUT 2 -d 10.1.154.14 -p tcp --dport 3014 -j RULE3015
iptables -t filter -I INPUT 2 -d 10.1.154.15 -p tcp --dport 3015 -j RULE3016
iptables -t filter -I INPUT 2 -d 10.1.154.16 -p tcp --dport 3016 -j RULE3017
iptables -t filter -I INPUT 2 -d 10.1.154.17 -p tcp --dport 3017 -j RULE3018
iptables -t filter -I INPUT 2 -d 10.1.154.18 -p tcp --dport 3018 -j RULE3019
iptables -t filter -I INPUT 2 -d 10.1.154.19 -p tcp --dport 3019 -j RULE3020
iptables -t filter -I INPUT 2 -d 10.1.154.20 -p tcp --dport 3020 -j RULE3021
iptables -t filter -I INPUT 2 -d 10.1.154.21 -p tcp --dport 3021 -j RULE3022
iptables -t filter -I INPUT 2 -d 10.1.154.22 -p tcp --dport 3022 -j RULE3023
iptables -t filter -I INPUT 2 -d 10.1.154.23 -p tcp --dport 3023 -j RULE3024
iptables -t filter -I INPUT 2 -d 10.1.154.24 -p tcp --dport 3024 -j RULE3025
iptables -t filter -I INPUT 2 -d 10.1.154.25 -p tcp --dport 3025 -j RULE3026
iptables -t filter -I INPUT 2 -d 10.1.154.26 -p tcp --dport 3026 -j RULE3027
iptables -t filter -I INPUT 2 -d 10.1.154.27 -p tcp --dport 3027 -j RULE3028
iptables -t filter -I INPUT 2 -d 10.1.154.28 -p tcp --dport 3028 -j RULE3029
iptables -t filter -I INPUT 2 -d 10.1.154.29 -p tcp --dport 3029 -j RULE3030
iptables -t filter -I INPUT 2 -d 10.1.154.30 -p tcp --dport 3030 -j RULE3031
iptables -t filter -I INPUT 2 -d 10.1.154.31 -p tcp --dport 3031 -j RULE3032
iptables -t filter -I INPUT 2 -d 10.1.154.32 -p tcp --dport 3032 -j RULE3033
iptables -t filter -I INPUT 2 -d 10.1.154.33 -p tcp --dport 3033 -j RULE3034
iptables -t filter -I INPUT 2 -d 10.1.154.34 -p tcp --dport 3034 -j RULE3035
iptables -t filter -I INPUT 2 -d 10.1.154.35 -p tcp --dport 3035 -j RULE3036
iptables -t filter -I INPUT 2 -d 10.1.154.36 -p tcp --dport 3036 -j RULE3037
iptables -t filter -I INPUT 2 -d 10.1.154.37 -p tcp --dport 3037 -j RULE3038
iptables -t filter -I INPUT 2 -d 10.1.154.38 -p tcp --dport 3038 -j RULE3039
iptables -t filter -I INPUT 2 -d 10.1.154.39 -p tcp --dport 3039 -j RULE3040
iptables -t filter -I INPUT 2 -d 10.1.154.40 -p tcp --dport 3040 -j RULE3041
iptables -t filter -I INPUT 2 -d 10.1.154.41 -p tcp --dport 3041 -j RULE3042
iptables -t filter -I INPUT 2 -d 10.1.154.42 -p tcp --dport 3042 -j RULE3043
iptables -t filter -I INPUT 2 -d 10.1.154.43 -p tcp --dport 3043 -j RULE3044
iptables -t filter -I INPUT 2 -d 10.1.154.44 -p tcp --dport 3044 -j RULE3045
iptables -t filter -I INPUT 2 -d 10.1.154.45 -p tcp --dport 3045 -j RULE3046
iptables -t filter -I INPUT 2 -d 10.1.154.46 -p tcp --dport 3046 -j RULE3047
iptables -t filter -I INPUT 2 -d 10.1.154.47 -p tcp --dport 3047 -j RULE3048
iptables -t filter -I INPUT 2 -d 10.1.154.48 -p tcp --dport 3048 -j RULE3000
iptables -t filter -N RULE3049
iptables -t filter -I RULE3049 -s 10.1.147.65 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.75 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.85 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.86 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.103 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.113 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.114 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.159 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.160 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.161 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.163 -j ACCEPT
iptables -t filter -I RULE3049 -s 10.1.147.166 -j ACCEPTiptables -t filter -I RULE3049 -s 10.1.147.162 -j ACCEPTiptables -t filter -I RULE3049 -s 10.1.147.165 -j ACCEPTiptables -t filter -I RULE3049 -s 10.1.147.0/24 -j ACCEPTiptables -t filter -A RULE3049 -j RULEADMIN
iptables -t filter - INPUT 2 -d 10.1.147.3 -p tcp --dport 3306 -j RULE3049--------------------------------
看上去有这么多的规则,其实,对于长连接来说,其实只经过了一条规则
iptables -t filter -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
即对于所有的已经建立连接的tcp包,全部都accept.
测试方式:1 . 单线程往向mysql发送sql,用长连接的方式,发送50000次,在有iptables的情况下,分别发送20次2. 单线程往mysql发送同样的sql,50000次,分别发送20次
分别计算2组数据的平均每个请求的时间
| 带有iptables | 没有iptables |
| 11.99622011 | 10.40345907 |
| 11.67167187 | 10.15265417 |
| 11.24559712 | 10.30219007 |
| 11.222718 | 10.40044904 |
| 11.42898607 | 10.49085999 |
| 11.59129691 | 10.43716884 |
| 11.64169002 | 10.57864714 |
| 12.24213886 | 10.42826486 |
| 11.85357189 | 10.26615214 |
| 11.40986514 | 10.40360284 |
| 12.10283422 | 10.3410759 |
| 11.60614896 | 10.42641878 |
| 11.20168209 | 10.60911489 |
| 11.27488494 | 10.63199115 |
| 11.36479998 | 10.67307496 |
| 11.36254191 | 10.58659887 |
| 11.67795014 | 10.4637661 |
| 11.66075993 | 10.313941 |
| 11.43256617 | 10.29340601 |
| 11.23209596 | 10.8853991 |
| AVG | |
| 11.56100101 | 10.45441175 |
| 每个请求消耗时间差: | 0.000022 |
测试结果,有iptables会比没有iptables多耗费22us左右的时间.即下面这条filter规则大概需要22usiptables -t filter -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
| nat 端口转发 |
| 11.63080692 |
| 11.90807295 |
| 12.46742797 |
| 12.33331704 |
| 11.80403209 |
| 12.104146 |
| 11.72256398 |
| 12.3218751 |
| 12.31458497 |
| 12.38100791 |
| 13.80361986 |
| 12.83216214 |
| 11.99734807 |
| 11.71055198 |
| 11.51495504 |
| 11.65256119 |
| 12.37192702 |
| 12.85852599 |
| 12.70576 |
| 12.76274395 |
| avg |
| 12.25989951 |
增加nat 表转换后,又差不多增加了14us所以,按照测试结果,nat 表的效率要稍微好于filter表