quijibo
n00b
Joined: 27 Feb 2003
Posts: 20
|
 Posted: Sun Dec 10, 2006 2:05 am Post subject: Is my iptables not handling traffic correctly? |
 |
|
I am at a loss here as to why my IP traffic suddenly isn't working like it used to anymore. About two days ago my torrent traffic just slowed to a crawl suddenly and hasn't work properly since. Since then I have tried to modify my iptables setup but that still hasn't fixed the problem. Since then I have also noticed that ftp traffic doesn't work correctly as well. Is there something wrong with my iptables setup or is it something upstream that is wrong on my provider's end? The other strange thing I notice is that if I sit and stare at the torrent or ftp long enough after some time it will suddenly boost up to what I consider normal speed for up to about a minute then throttle back down to its crawl not too much longer after that. The other thing is that http traffic seems unaffected, but I am not sure if that is just because my iptables is(n't?) configured correctly. Here is what I have right now.
| Code: |
# iptables -L -v -n
Chain INPUT (policy DROP 3 packets, 162 bytes)
pkts bytes target prot opt in out source destination
106 8168 ACCEPT all -- !ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp spt:53
0 0 ACCEPT all -- tap0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
8 1223 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
38 2009 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
15 736 DROP tcp -- !br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1023
0 0 DROP udp -- !br0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:0:1023
2 100 REJECT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
8 448 REJECT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
64727 48M ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 * 192.168.1.0/24 0.0.0.0/0
62811 56M ACCEPT all -- ppp0 * 0.0.0.0/0 192.168.1.0/24
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.10 tcp dpts:9500:9600
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 192.168.1.10 udp dpts:9500:9600
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.10 tcp dpts:20:21
0 0 ACCEPT tcp -- ppp0 * 192.168.1.10 0.0.0.0/0 tcp dpts:21000:21999
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 192.168.1.1 udp dpt:1194
0 0 ACCEPT udp -- ppp0 * 192.168.1.1 0.0.0.0/0 udp dpt:1194
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.10 tcp dpt:80
0 0 ACCEPT tcp -- ppp0 * 192.168.1.10 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.10 tcp dpt:443
0 0 ACCEPT tcp -- ppp0 * 192.168.1.10 0.0.0.0/0 tcp dpt:443
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.11 tcp dpt:6277
0 0 ACCEPT tcp -- ppp0 * 192.168.1.11 0.0.0.0/0 tcp dpt:6277
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.11 tcp dpt:2703
0 0 ACCEPT tcp -- ppp0 * 192.168.1.11 0.0.0.0/0 tcp dpt:2703
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Chain OUTPUT (policy ACCEPT 8 packets, 660 bytes)
pkts bytes target prot opt in out source destination
156 49244 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 19536 packets, 1755K bytes)
pkts bytes target prot opt in out source destination
251 13774 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:9500:9600 to:192.168.17.10:9500-9600
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:9500:9600 to:192.168.17.10:9500-9600
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21 to:192.168.1.10:20-21
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:21000:21999 to:192.168.17.10:21000-21999
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.1.11:25
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 to:192.168.1.11:993
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2703 to:192.168.1.11:2703
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6277 to:192.168.1.11:6277
2 108 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.10:80
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.10:443
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 to:192.168.1.1:1194
Chain POSTROUTING (policy ACCEPT 13829 packets, 1176K bytes)
pkts bytes target prot opt in out source destination
444 34582 SNAT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 to:my.sta.tic.ip
Chain OUTPUT (policy ACCEPT 812 packets, 60868 bytes)
pkts bytes target prot opt in out source destination
|
I set 9500-9600 for torrents. 20,21,21000-21999 for my ftp server. 25 and 993 are for mail. 2703 6277 are for clamav and spamassasin. 80, 443 web. 1194 for openvpn. The other thing is, is that I have eth0 and tap0 bridged to br0 so I am able to VPN into my network. I have changed the iptables to this slightly from my original one. But is this a problem on my end somewhere that I am missing or something that is out of my control? I checked my providers maintenance log and nothing was listed on it, but again it isn't too detailed.
I do also run this at the end of my firewall script, but I don't think it would cause a problem like this:
| Code: |
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 >/proc/sys/net/ipv4/tcp_syncookies
for x in lo eth0
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ -e /proc/sys/net/ipv4/tcp_ecn ]
then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
|
Thanks in advance to anyone who might be able to shed some light on this problem for me. |
|
Networking & Security
