標題: IPTABLES效能提昇之研究
The Research of enhancement in IPTABLES performance
作者: 李溢生
Lee, Yat-Sang
蔡文能
林正中
Tsai,Wen-Nung
Lin,Cheng-Chung
資訊學院資訊學程
關鍵字: 防火牆;路由器;路由;效能提昇;IPTABLES;Firewall;Router;Routing;Throughput Enhancement;IPTABLES
公開日期: 2011
摘要: 大部份市售的IP分享器除了IP分享的功能之外,也內建了防火牆的功能。防火牆是幾個可以保護內部網絡不被攻擊或入侵的方法之一。但是當防火牆規則的數目增加時,防火牆處理每個封包的時間也會增加而導致效能下降。此外,由於現在的IP分享器大多內建了一些分享的功能例如:FTP、SAMBA、DLNA等,這些軟體都是對效能有很大的要求的。 本研究就是要針對這部分的效能作改善,並實作在LINUX上的防火牆軟體IPTABLES,透過CONNECTION TRACKING SYSTEM的資訊,讓路由封包可以得到加速而且防火牆的功能不會受到影響。我們並做了實驗測試,結果顯示在五百條規則下,我們的研究在64位元組的封包大小中把效能提升了180%。
Router has become a popular network device to resolve IPv4 exhaust problem. Besides this, the router also includes firewall functions to protect LAN subnet to avoid attack from the internet. However, if the number of rules of the firewall increases, the throughput will decrease due to more time is required for the firewall to check the packet with these rules. In addition, the routers on the market always include sharing function such as FTP, SAMBA, DLNA etc. And all these additional functions might affect the performance of the routers. The purpose of this research is to improve the performance of the router using LINUX IPTABLES. Our research goal is to increase the throughput by decreasing the time on checking firewall rules through examining the information provided by Connection Tracking System. Besides, the firewall function will be preserved as well as those additional sharing functions. Our experimental results show that there had great enhancement compared to original device. Running our firewall with 500 rules, the TCP packet throughput had increased 180% when the packet size is 64 bytes.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT079979522
http://hdl.handle.net/11536/50964
Appears in Collections:Thesis