Port-forwarding Perfomance

Port-forwarding Perfomance

[Rudi Starcevic]

Hi,

I have www port-forwarding setup and running OK.

However I wonder if they way I have configured it is not the most 
optimal for speed and performance.

I have a default policy of DROP with a total of about 30 rules.

These rules below do my www port-forwarding, can you see if there is a 
better way to do this ?

# ENABLE FORWARDING / NAT / MASQUERADING
echo "1" > /proc/sys/net/ipv4/ip_forward

# NAT Forwarding Setup
$IPTABLES --table nat --append POSTROUTING --out-interface $ETH0 -j 
MASQUERADE
$IPTABLES -A FORWARD -i $ETH1 -j ACCEPT
$IPTABLES -A FORWARD -i $ETH0 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# http Port-Forwarding setup
$IPTABLES -t nat -A PREROUTING -i $ETH0 -p tcp --dport 80 -d $MEDIA1_IP 
-j DNAT --to $MEDIA1_LO:80

Many thanks,
Kind regards
Rudi


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 22/02/2005

Re: Port-forwarding Perfomance

[Jose Maria Lopez Hernandez]

El mié, 23-02-2005 a las 17:33 -0800, Rudi Starcevic escribió:
> Hi,
> 
> I have www port-forwarding setup and running OK.
> 
> However I wonder if they way I have configured it is not the most 
> optimal for speed and performance.
> 
> I have a default policy of DROP with a total of about 30 rules.
> 
> These rules below do my www port-forwarding, can you see if there is a 
> better way to do this ?
> 
> # ENABLE FORWARDING / NAT / MASQUERADING
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> # NAT Forwarding Setup
> $IPTABLES --table nat --append POSTROUTING --out-interface $ETH0 -j 
> MASQUERADE

The only thing I can say about your rules it's that if you
know the firewall IP it's much better to use SNAT than
MASQUERADE, because you gain some speed with it.

> $IPTABLES -A FORWARD -i $ETH1 -j ACCEPT
> $IPTABLES -A FORWARD -i $ETH0 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # http Port-Forwarding setup
> $IPTABLES -t nat -A PREROUTING -i $ETH0 -p tcp --dport 80 -d $MEDIA1_IP 
> -j DNAT --to $MEDIA1_LO:80

The rule it's OK, I don't know how you can do it better to achieve
more speed.

> Many thanks,
> Kind regards
> Rudi

Regards.

-- 

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: Port-forwarding Perfomance

[Rudi Starcevic]

Hi,

Still having trouble with port-forwarding performance.

As much as I look I can't find anything wrong.

I have one Linux 66.283.12.21 box and one Windows box 192.168.0.10

I can download a file of the linux box at around 140K/s

That very same file on the Windows machine is around 15K/s using DNAT 
and Masq/Forwarding.

I'm very disappointed and did not expect to see anything like this, I 
had more like 10% in mind ...

The linux box is not under heavy load and there is only 431 connections 
being tracked.

Hmm .. I must have a problem else where, it just too hard to believe 
those download rate numbers.


Jose Maria Lopez Hernandez wrote:

>El mié, 23-02-2005 a las 17:33 -0800, Rudi Starcevic escribió:
>  
>
>>Hi,
>>
>>I have www port-forwarding setup and running OK.
>>
>>However I wonder if they way I have configured it is not the most 
>>optimal for speed and performance.
>>
>>I have a default policy of DROP with a total of about 30 rules.
>>
>>These rules below do my www port-forwarding, can you see if there is a 
>>better way to do this ?
>>
>># ENABLE FORWARDING / NAT / MASQUERADING
>>echo "1" > /proc/sys/net/ipv4/ip_forward
>>
>># NAT Forwarding Setup
>>$IPTABLES --table nat --append POSTROUTING --out-interface $ETH0 -j 
>>MASQUERADE
>>    
>>
>
>The only thing I can say about your rules it's that if you
>know the firewall IP it's much better to use SNAT than
>MASQUERADE, because you gain some speed with it.
>
>  
>
>>$IPTABLES -A FORWARD -i $ETH1 -j ACCEPT
>>$IPTABLES -A FORWARD -i $ETH0 -j ACCEPT
>>$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>># http Port-Forwarding setup
>>$IPTABLES -t nat -A PREROUTING -i $ETH0 -p tcp --dport 80 -d $MEDIA1_IP 
>>-j DNAT --to $MEDIA1_LO:80
>>    
>>
>
>The rule it's OK, I don't know how you can do it better to achieve
>more speed.
>
>  
>
>>Many thanks,
>>Kind regards
>>Rudi
>>    
>>
>
>Regards.
>
>  
>



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 22/02/2005

Re: Port-forwarding Perfomance

[Maxime Ducharme]

Hello Rudi

Here is my stats :

firewall (x.x.x.x) :
  pentium 133 MHz
  48 megs of RAM
  20 gigs HD

another linux behind (192.168.56.2) :
   pentium celeron 433
   64 megs ram
   80 gigs hd

3 other windows friends behind, average of 600
concurrent connections (caused by p2p)

got a 100 mbits LAN, i can download via FTP
at about 83 mbits from 192.168.56.2.

Via samba I get 70-75 mbits

FTP is nated via the 1rst firewall on a dsl link
which is 3 mbits down and 1 mbit up.

I can download at maximum capacity of DSL
link, cpu load of both servers are below 10%.

I didnt tried a local NAT on 100 mbits link,
if I have time I'll do it and let you know of results.

HTH

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Rudi Starcevic" <tech@wildcash.com>
To: <netfilter@lists.netfilter.org>
Sent: Thursday, February 24, 2005 9:29 AM
Subject: Re: Port-forwarding Perfomance


Hi,

Still having trouble with port-forwarding performance.

As much as I look I can't find anything wrong.

I have one Linux 66.283.12.21 box and one Windows box 192.168.0.10

I can download a file of the linux box at around 140K/s

That very same file on the Windows machine is around 15K/s using DNAT
and Masq/Forwarding.

I'm very disappointed and did not expect to see anything like this, I
had more like 10% in mind ...

The linux box is not under heavy load and there is only 431 connections
being tracked.

Hmm .. I must have a problem else where, it just too hard to believe
those download rate numbers.


Jose Maria Lopez Hernandez wrote:

>El mié, 23-02-2005 a las 17:33 -0800, Rudi Starcevic escribió:
>
>
>>Hi,
>>
>>I have www port-forwarding setup and running OK.
>>
>>However I wonder if they way I have configured it is not the most
>>optimal for speed and performance.
>>
>>I have a default policy of DROP with a total of about 30 rules.
>>
>>These rules below do my www port-forwarding, can you see if there is a
>>better way to do this ?
>>
>># ENABLE FORWARDING / NAT / MASQUERADING
>>echo "1" > /proc/sys/net/ipv4/ip_forward
>>
>># NAT Forwarding Setup
>>$IPTABLES --table nat --append POSTROUTING --out-interface $ETH0 -j
>>MASQUERADE
>>
>>
>
>The only thing I can say about your rules it's that if you
>know the firewall IP it's much better to use SNAT than
>MASQUERADE, because you gain some speed with it.
>
>
>
>>$IPTABLES -A FORWARD -i $ETH1 -j ACCEPT
>>$IPTABLES -A FORWARD -i $ETH0 -j ACCEPT
>>$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>># http Port-Forwarding setup
>>$IPTABLES -t nat -A PREROUTING -i $ETH0 -p tcp --dport 80 -d $MEDIA1_IP
>>-j DNAT --to $MEDIA1_LO:80
>>
>>
>
>The rule it's OK, I don't know how you can do it better to achieve
>more speed.
>
>
>
>>Many thanks,
>>Kind regards
>>Rudi
>>
>>
>
>Regards.
>
>
>



-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 22/02/2005

Re: Port-forwarding Perfomance

[Jason Opperisano]

On Thu, Feb 24, 2005 at 06:29:03AM -0800, Rudi Starcevic wrote:
> Hi,
> 
> Still having trouble with port-forwarding performance.
> 
> As much as I look I can't find anything wrong.
> 
> I have one Linux 66.283.12.21 box and one Windows box 192.168.0.10
> 
> I can download a file of the linux box at around 140K/s
> 
> That very same file on the Windows machine is around 15K/s using DNAT 
> and Masq/Forwarding.
> 
> I'm very disappointed and did not expect to see anything like this, I 
> had more like 10% in mind ...
> 
> The linux box is not under heavy load and there is only 431 connections 
> being tracked.
> 
> Hmm .. I must have a problem else where, it just too hard to believe 
> those download rate numbers.

thoughts:

1 - you have a speed/duplexing mismatch between the internal interface
of the firewall and your internal switch...or the windows box and the
internal switch (but you should notice that slowing internal
transfers)...or both.

2 - your internet connection is ppp/pppoe and you have an MTU problem.
since the linux gateway is directly connected, it knows to lower the MTU
of the external interface, but machines behind it would continue to
assume an MTU of 1500; and in the absence of functioning PMTU
discovery, would suffer from significant packet loss due to the need for 
fragmentation.

3 - you're using some traffic shaping script (like the wondershaper) and
it is misconfigured.

-j

--
"Let us celebrate our agreement with the adding of chocolate to milk."
        --The Simpsons

Re: Port-forwarding Perfomance

[Rudi Starcevic]

Hi,

>1 - you have a speed/duplexing mismatch between the internal interface
>of the firewall and your internal switch...or the windows box and the
>internal switch (but you should notice that slowing internal
>transfers)...or both.
>  
>

Thanks, am checking on this one now ..

>2 - your internet connection is ppp/pppoe and you have an MTU problem.
>since the linux gateway is directly connected, it knows to lower the MTU
>of the external interface, but machines behind it would continue to
>assume an MTU of 1500; and in the absence of functioning PMTU
>discovery, would suffer from significant packet loss due to the need for 
>fragmentation.
>  
>
This is on a 100MB link at choopa .com.
The windows machine being forward to is on a Gigabit network.

>3 - you're using some traffic shaping script (like the wondershaper) and
>it is misconfigured.
>  
>
Only using Iptables.

Thanks for these leads, am following up now.

Cheers
Rudi


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 22/02/2005

Re: Port-forwarding Perfomance

[R. DuFresne]

On Thu, 24 Feb 2005, Rudi Starcevic wrote:

> Hi,
> 
> >1 - you have a speed/duplexing mismatch between the internal interface
> >of the firewall and your internal switch...or the windows box and the
> >internal switch (but you should notice that slowing internal
> >transfers)...or both.
> >  
> >
> 
> Thanks, am checking on this one now ..

often if this is the case,m you would also notice the connections dropping
completely and/or connectivity totally disappearing as well.

Thanks,


Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

Re: Port-forwarding Perfomance

[Rudi Starcevic]

Hi,


I'm still seeing slow performance with my port-forwarding but
have found something interesting that may be problematic.

Just to re-cap:

I have one Linux 66.283.12.21 box and one Windows box 192.168.0.10
I can download a file of the linux box at around 140K/s
That very same file download on the Windows machine is around 15K/s using DNAT and Masq/Forwarding.

However we can upload to the Windows box at 140k/s.

So it is only slow, 15K/s, when the data is coming from Windows then through the Linux Iptables Masq/Forwarding Firewall.

I contacted an earlier Admin for the Windows machine and was informed the TCP window size has been manually increased.

Could this affect Forwarding in Iptables ?

The default maximum TCP window size in Win2000 is 17520 bytes (12 segments).
The current value is set at 131400.

90% of the traffic being port-forwarded are Digital video files.
These range in size from 2MB to 200MB.

So I assume with large files like these Windows would opt for it's largest TCP window size.

I guess the next step is to lower these to their default values and see if it affect bandwidth.

Your thoughts on that would be much appreciated.

Thanks.
Regards,
Rudi




-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.4.0 - Release Date: 22/02/2005

Re: Port-forwarding Perfomance

[Daniel]

On Thu, 24 Feb 2005 16:15:16 -0800, Rudi Starcevic <tech@wildcash.com> 
wrote:

> Hi,
>
>
> I'm still seeing slow performance with my port-forwarding but
> have found something interesting that may be problematic.
>
> Just to re-cap:
>
> I have one Linux 66.283.12.21 box and one Windows box 192.168.0.10
> I can download a file of the linux box at around 140K/s
> That very same file download on the Windows machine is around 15K/s 
> using DNAT and Masq/Forwarding.
>
> However we can upload to the Windows box at 140k/s.
>
> So it is only slow, 15K/s, when the data is coming from Windows then 
> through the Linux Iptables Masq/Forwarding Firewall.
>
> I contacted an earlier Admin for the Windows machine and was informed 
> the TCP window size has been manually increased.
>
> Could this affect Forwarding in Iptables ?
>
> The default maximum TCP window size in Win2000 is 17520 bytes (12 
> segments).
> The current value is set at 131400.
>
> 90% of the traffic being port-forwarded are Digital video files.
> These range in size from 2MB to 200MB.
>
> So I assume with large files like these Windows would opt for it's 
> largest TCP window size.
>
> I guess the next step is to lower these to their default values and see 
> if it affect bandwidth.
>
> Your thoughts on that would be much appreciated.
>
> Thanks.
> Regards,
> Rudi
>
>
>
>

Your increased windows size should not affect the network performance. 
Windows machine performance - maybe, but not network overall. The tcp 
window is like a bucket representation. When your host is flooded with 
packets, it will send back syn/ack packets with win 0, which will make the 
source host retransmit the data again later until window > 1.



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

Re: Port-forwarding Perfomance

[Andy Furniss]

Rudi Starcevic wrote:
> Hi,
> 
> 
> I'm still seeing slow performance with my port-forwarding but
> have found something interesting that may be problematic.
> 
> Just to re-cap:
> 
> I have one Linux 66.283.12.21 box and one Windows box 192.168.0.10
> I can download a file of the linux box at around 140K/s
> That very same file download on the Windows machine is around 15K/s 
> using DNAT and Masq/Forwarding.
> 
> However we can upload to the Windows box at 140k/s.
> 
> So it is only slow, 15K/s, when the data is coming from Windows then 
> through the Linux Iptables Masq/Forwarding Firewall.
> 
> I contacted an earlier Admin for the Windows machine and was informed 
> the TCP window size has been manually increased.
> 
> Could this affect Forwarding in Iptables ?
> 
> The default maximum TCP window size in Win2000 is 17520 bytes (12 
> segments).
> The current value is set at 131400.

Max window size is 64k without scaling - so I assume they have turned 
scaling on aswell - there have been problems with scaling, one of the 
linux kernel releases set it to 7 which confused buggy peers. AIUI they 
turned it back down to workaround.

You could tcpdump so you can can see what's going on.


> 
> 90% of the traffic being port-forwarded are Digital video files.
> These range in size from 2MB to 200MB.
> 
> So I assume with large files like these Windows would opt for it's 
> largest TCP window size.
> 
> I guess the next step is to lower these to their default values and see 
> if it affect bandwidth.
> 
> Your thoughts on that would be much appreciated.
> 
> Thanks.
> Regards,
> Rudi
> 
> 
> 
>