iptables Archive

Hetzner’s ban, NAT leaking internal traffic on WAN interface and New Year’s

  As I mentioned few times, we have small cluster of servers located on Hetzner’s datacenters. We use Vyatta for our core router and we NAT all additional servers thru it, becouse Hetzner’s dedicated servers don’t support direct routing. Incident On new year’s eve, my phone started ringing insanely and I noticed one of our

ip_conntrack: table full, dropping packet / conclusions about connection tracking

The problem Recently one of our clients started a very large campaign and my servers got hit by twice the traffic it was handling normally. We actually didn’t have any problems, but from time to time you would notice this error message on our main firewall: ip_conntrack: table full, dropping packet Investigation I have seen this

Vyatta – SNAT – Randomly rotating public IP addresses

The problem Our contextual system uses bots/spiders to leech data from our customer’s websites in order to parse them and use extracted text for further content analysis. This means we have setup few servers that run bots/spiders. Can you imagine if 20 bots started leeching websites hosted on same webhosting using only one ip? That could be considered as sort of

Network Layers – Schema

Usually on Hetzner I want to make sure I get most of our web servers. One of limitations is that each server has it’s own 100Mbit connection and if you want to use it, you should use iptables to link all your virtual servers to public ip, so I often end up writting some special