| View previous topic :: View next topic |
| Author |
Message |
Dionysos
n00b
Joined: 13 Jun 2003
Posts: 29
|
 Posted: Sat May 28, 2005 1:16 pm Post subject: Slow internet sharing using iptables |
 |
|
I have an Gentoo box sharing files (FTP and Samba). The box is having two network cards, so I am trying to use this machine to share my internet connection (ADSL) with my network. This is working fine, but when I enable iptables, the internet connection is getting slow. When i disable iptables, browsing is fast on the server an responstime on ping is low. Example on this below:
| Quote: |
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=1 ttl=119 time=31.0 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=2 ttl=119 time=31.2 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=3 ttl=119 time=30.7 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=4 ttl=119 time=31.2 ms
|
When i enable iptables, responsetime to the internet is verry high, both on the server and on clients. Example below:
| Quote: |
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=1 ttl=119 time=1928 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=2 ttl=119 time=1908 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=3 ttl=119 time=2382 ms
|
If i try to ping at the same time i start iptables, i can se how the responstime is getting wors for every ping. Example below:
| Quote: |
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=1 ttl=119 time=31.2 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=2 ttl=119 time=40.7 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=3 ttl=119 time=40.4 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=4 ttl=119 time=31.7 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=5 ttl=119 time=223 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=6 ttl=119 time=559 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=7 ttl=119 time=874 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=8 ttl=119 time=1141 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=9 ttl=119 time=1000 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=10 ttl=119 time=1352 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=11 ttl=119 time=1479 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=12 ttl=119 time=2138 ms
64 bytes from web1.eniro.basefarm.net (80.69.226.133): icmp_seq=13 ttl=119 time=2218 ms
|
At the begining i used my own iptables script. I then thought the script was the problem, so i installed Killerwall. I still have the same problem, wich makes me think that the problem is somwhere else. The computer is fast, 2.4 GHz, 512 Mb ram, 800 Gb disc.
Can somone please help me?
Dionysos |
|
| Back to top |
|
 |
Mit
Apprentice
Joined: 13 Apr 2003
Posts: 260
Location: Under a rock.
|
| Posted: Sat May 28, 2005 3:57 pm Post subject: |
|
|
If your using a pre made script - is it possible that its taking far too long to get to a valid exit from the rules?
Could you try clearing all the rules (make sure iptables -L and iptables -t NAT -L are empty) and then add only the basic ones to allow NAT and then test that?
and then build up adding bits until you find a problem.
_________________
Tim
Personal Site
FeedJuggler - RSS Made Easy
The TV Guide |
|
| Back to top |
|
|
Dionysos
n00b
Joined: 13 Jun 2003
Posts: 29
|
| Posted: Sat May 28, 2005 8:11 pm Post subject: |
|
|
Tried that. I had a script with only the most important, as shown below:
| Code: |
iptables -F
iptables -F -t nat
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to-source 193.217.189.15
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
# INPUT CHAIN
iptables -N input_ext
iptables -A INPUT -i eth1 -j input_ext
iptables -A input_ext -p tcp --dport 80 -j ACCEPT
iptables -A input_ext -p tcp --dport 20:21 -j ACCEPT
iptables -I input_ext -m state --state RELATED,ESTABLISHED -j ACCEPT
# FORWARD CHAIN
iptables -A FORWARD -s 192.168.0.0/24 -i eth0 -o eth1 -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# OUTPUT CHAIN
iptables -P OUTPUT ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
|
Can it be something i have compiled into the kernel that causes these problems? |
|
| Back to top |
|
|
Dionysos
n00b
Joined: 13 Jun 2003
Posts: 29
|
| Posted: Tue May 31, 2005 7:44 am Post subject: |
|
|
| Mit wrote: | If your using a pre made script - is it possible that its taking far too long to get to a valid exit from the rules?
Could you try clearing all the rules (make sure iptables -L and iptables -t NAT -L are empty) and then add only the basic ones to allow NAT and then test that?
and then build up adding bits until you find a problem. |
Do you have an example script with only the basic stuff? Open all outbount traffic, block all innbound, and NAT for internal to external translation.
Dionysos  |
|
| Back to top |
|
|
Mit
Apprentice
Joined: 13 Apr 2003
Posts: 260
Location: Under a rock.
|
| Posted: Tue May 31, 2005 9:32 am Post subject: |
|
|
Assuming your iptables rules thing is empty, just add these. Its very basic but works (don't forget to echo 1 > /proc/sys/net/ipv4/ip_foward )
| Code: | iptables -A POSTROUTING -s 192.168.0.0/255.255.255.0 -j MASQUERADE
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.255.255.0 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/255.255.255.0 -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/255.255.255.0 -m state --state NEW -j ACCEPT
|
_________________
Tim
Personal Site
FeedJuggler - RSS Made Easy
The TV Guide |
|
| Back to top |
|
|
Dionysos
n00b
Joined: 13 Jun 2003
Posts: 29
|
| Posted: Tue May 31, 2005 11:12 am Post subject: |
|
|
Thanks. I'll give it a try tonight...
Dionysos |
|
| Back to top |
|
|
Mit
Apprentice
Joined: 13 Apr 2003
Posts: 260
Location: Under a rock.
|
| Posted: Tue May 31, 2005 11:19 am Post subject: |
|
|
| Dionysos wrote: | Thanks. I'll give it a try tonight...
Dionysos |
ok - just remember to change IPs if your not using a 192.168.0 range - and interfaces (i've got eth0 and ppp0)
_________________
Tim
Personal Site
FeedJuggler - RSS Made Easy
The TV Guide |
|
| Back to top |
|
|
totopo
n00b
Joined: 29 Sep 2004
Posts: 73
Location: Austria
|
| Posted: Sat Jul 09, 2005 11:11 am Post subject: Something happened after any update |
|
|
Hello,
I have the problem that sharing the Internet connection became very slow, I have done several tests to pinpoint the problem.
1. Using cross cable to connect two machines directly to know that is not a problem in the switch or hub.
2. Using the windows partition to share the Internet connection to know that is not a problem on the network card.
3. Using previous kernel 2.6.11 to know if it its something in the kernel.
4. using iptables -F to clear the rules used by firehol and using a very simple script:
| Code: |
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
|
But after all these tests were done I was able to prove that it's a software bug, the problem is how to find which update crashed my machine, my architecture is:
| Code: |
uname -a
Linux marco 2.6.11-gentoo-r11 #1 SMP Fri Jul 1 23:21:52 CEST 2005 i686 Intel(R) Pentium(R) 4 CPU 3.40GHz GenuineIntel GNU/Linux
|
Has someone the same problem like me? Help!
Regards
Marco |
|
| Back to top |
|
|
totopo
n00b
Joined: 29 Sep 2004
Posts: 73
Location: Austria
|
| Posted: Sat Jul 09, 2005 11:04 pm Post subject: solved |
|
|
I ask myself and I reply myself, the solution is in /etc/resolv.conf
I added more nameserver of my ISP in the client machines and seems working fine now. |
|
| Back to top |
|
|
|
Networking & Security
