Home / server / Questions / 213889
Accepted
Carlos Melo
Asked: 2010-12-18 15:24:19 +0800 CST

Poor iptables network forwarding performance

  • 772

This is my firewall script:

WAN_NIC="ppp0"
LAN_NIC="eth1"
DYN_ADDR="yes"

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT ! -i ${WAN_NIC} -j ACCEPT

# Allow selected services
iptables -A INPUT -i ${WAN_NIC} -p tcp --dport 3535 -j ACCEPT
iptables -A INPUT -i ${WAN_NIC} -p udp --dport 8123 -j ACCEPT

# Allow forwarding of selected services
for svc in `cat /etc/firewall/allowed_services`
do
    iptables -A FORWARD -i ${LAN_NIC} -p tcp --dport ${svc} -j ACCEPT
    iptables -A FORWARD -i ${LAN_NIC} -p udp --dport ${svc} -j ACCEPT
done

for in_svc in `cat /etc/firewall/allowed_input_services`
do
    iptables -A FORWARD -d 0/0 -p tcp --dport ${in_svc} -j ACCEPT
done

# Allow VPN Tunnel forwarding
iptables -A FORWARD -i ${VPN_TUN} -j ACCEPT

# Allow all services for whitelisted clients
for whl in `cat /etc/firewall/clients_whitelist`
do
    iptables -A FORWARD -s ${whl} -j ACCEPT
done

if [ "${DYN_ADDR}" == "yes" ]
then
    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ${WAN_NIC} -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.7.1.0/24 -o ${WAN_NIC} -j MASQUERADE
else
    iptables -t nat -A POSTROUTING -i ${LAN_NIC} -o ${WAN_NIC} -j SNAT --to-source ${WAN_IP}
fi

iptables -t nat -A PREROUTING -i ${WAN_NIC} -p tcp --dport 4899 -j DNAT --to-destination 192.168.0.200
iptables -t nat -A PREROUTING -i ${WAN_NIC} -p tcp --dport 4900 -j DNAT --to-destination 192.168.0.199:4899
iptables -t nat -A PREROUTING -p tcp --dport 491 -j DNAT --to-destination 192.168.0.199

iptables -t nat -A PREROUTING -i ${LAN_NIC} -s 10.7.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 10.7.1.1:3128
iptables -t nat -A PREROUTING -i ${LAN_NIC} -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.231:3128

The thing is, when I connect from outside in one of the forwarded ports, i.e., 4899 (radmin), the connection works as expected. If I try to browse the web using http (80), it also works as expected, since we are using a transparent proxy.

However, when I try to browse using https (443), it connects to the server, but the connection works with low throughtput.

PS: the forwarding of packets with port 443 is allowed, since it is present in the file "/etc/firewall/accepted_services"

PS2: The connection uses MASQUERADE (dynamic ip from ppp0)

Thanks in advance, Eduardo Melo

firewall performance iptables gateway gentoo

1 Answers

  1. Best Answer

    SSL obviously uses encryption, so depending on the spec of the machine that's running the SSL-enabled webserver, there could be a noticeable difference.

    • 1