Better traffic forwarding

Hi forum.

I wanted to know if I can make improvements to my current setup. I have 500 containers running with the default bridge.

I am forwarding traffic to my containers using iptables rules, such as:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 587 -j DNAT \
   	--to-destination 10.0.3.100:587

I am running into performance issues with this setup and I think the bottleneck is iptables. I can’t do macvlan as I am running a lot of containers and it is my understanding that there is a limit on the number of virtual MAC addresses imposed by the NIC.

My requirements are that the containers should be able to receive packets from the outside world and be able to use the internet on the host. It’s fine if the containers don’t talk with each other.

What can I do better?

What performance issues are you seeing with IPtables and what makes you think it is that?
If your traffic is TCP you could try HAproxy to forward based on port / basically a tcp proxy.