Slow performance - Trouble with IPtables rules

Slow performance - Trouble with IPtables rules

[Karina Gómez Salgado]

Hi,

    I'm trying to setting up a Linux Computer as my LAN gateway to
Internet. Later, i will use this computer like a squid-proxy, but by
now, it should only forward packets in and out of my LAN without
masquerading (i will use my class C segment), and that's it.

I took the rc.firewalls rules as a base for create gateway and it works,

but even if i only have one computer connected to the gateway the
internet access is a little slow . The internet access in the linux pc
is fast but in the other one(s) connected is not that fast, when i try
to check a web page it takes a moment to process and later when it
displays the website, and the images can take long time to show.

The rules i'm using are these:
--------------------------------


#!/bin/sh
#
echo -e "\n Loading Firewalling Rules \n"

IPTABLES=/sbin/iptables
UNIVERSE="0.0.0.0/0"

INTIF="eth1"
EXTIF="eth0"

echo " Enabling forwarding.. "

echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Clearing existing rules... "

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -Z


$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v

$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT -v

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT -v


This settings are enough ? Do i need somethig more ?

I'll appreciate a lot any help,


Karina

Re: Slow performance - Trouble with IPtables rules

[Ramin Alidousti]

The rules you're using here do nothing. Don't you have any
layer 2 problem between your internal hosts and the gateway?
Try a simple ping and see what rtt you get and/or if there
is any packet loss.

Ramin

On Wed, Jul 03, 2002 at 01:41:09PM -0500, Karina G?mez Salgado wrote:

> Hi,
> 
>     I'm trying to setting up a Linux Computer as my LAN gateway to
> Internet. Later, i will use this computer like a squid-proxy, but by
> now, it should only forward packets in and out of my LAN without
> masquerading (i will use my class C segment), and that's it.
> 
> I took the rc.firewalls rules as a base for create gateway and it works,
> 
> but even if i only have one computer connected to the gateway the
> internet access is a little slow . The internet access in the linux pc
> is fast but in the other one(s) connected is not that fast, when i try
> to check a web page it takes a moment to process and later when it
> displays the website, and the images can take long time to show.
> 
> The rules i'm using are these:
> --------------------------------
> 
> 
> #!/bin/sh
> #
> echo -e "\n Loading Firewalling Rules \n"
> 
> IPTABLES=/sbin/iptables
> UNIVERSE="0.0.0.0/0"
> 
> INTIF="eth1"
> EXTIF="eth0"
> 
> echo " Enabling forwarding.. "
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> echo " Clearing existing rules... "
> 
> $IPTABLES -P INPUT DROP
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
> $IPTABLES -X
> $IPTABLES -Z
> 
> 
> $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
> 
> $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
> 
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT -v
> 
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT -v
> 
> 
> This settings are enough ? Do i need somethig more ?
> 
> I'll appreciate a lot any help,
> 
> 
> Karina
> 
> 
> 

Re: Slow performance - Trouble with IPtables rules

[Antony Stone]

On Wednesday 03 July 2002 7:41 pm, Karina Gómez Salgado wrote:

> The rules i'm using are these:
> --------------------------------
>
> $IPTABLES -P INPUT DROP
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -P FORWARD DROP
>
> $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
>
> $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
>
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT -v
>
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT -v

So, you're setting a default policy of DROP on INPUT, FORWARD and OUTPUT - 
very good.

Then, you're allowing absolutely everything in, from anywhere, you're 
allowing absolutely everything out, to anywhere, you're forwarding everything 
from the outside to the inside, and you're forwading everything from the 
inside to the outside.

This is not a firewall, this is a complex way to plug the Internet into your 
network.

What do you want to allow, and what do you want to block ?   These rules ar 
doing nothing for you.

 

Antony.

Re: Slow performance - Trouble with IPtables rules

[Karina Gómez Salgado]

The gateway is a Linux Box with 2 NICS, one connected to LAN and the another
one, to the Internet. First i only want to test as a gateway, and it seems it
works because i can ping successfully between my Internal LAN and my gateway,
and from LAN to outside, i don't receive time outs , the RTT is about 1 ms
between an internal pc and the gateway.

I take this two lines from the rc.firewall script, i just eliminate the line
about masquerading.

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT -v
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT -v

Of course, i don't know if this is right, because almost all the examples
include masquerading and i don't want to use it.

I'll  appreciate if you can guide me on this matter.

Thanks in advance,


Karina


Ramin Alidousti wrote:

> The rules you're using here do nothing. Don't you have any
> layer 2 problem between your internal hosts and the gateway?
> Try a simple ping and see what rtt you get and/or if there
> is any packet loss.
>
> Ramin
>
> On Wed, Jul 03, 2002 at 01:41:09PM -0500, Karina G?mez Salgado wrote:
>
> > Hi,
> >
> >     I'm trying to setting up a Linux Computer as my LAN gateway to
> > Internet. Later, i will use this computer like a squid-proxy, but by
> > now, it should only forward packets in and out of my LAN without
> > masquerading (i will use my class C segment), and that's it.
> >
> > I took the rc.firewalls rules as a base for create gateway and it works,
> >
> > but even if i only have one computer connected to the gateway the
> > internet access is a little slow . The internet access in the linux pc
> > is fast but in the other one(s) connected is not that fast, when i try
> > to check a web page it takes a moment to process and later when it
> > displays the website, and the images can take long time to show.
> >
> > The rules i'm using are these:
> > --------------------------------
> >
> >
> > #!/bin/sh
> > #
> > echo -e "\n Loading Firewalling Rules \n"
> >
> > IPTABLES=/sbin/iptables
> > UNIVERSE="0.0.0.0/0"
> >
> > INTIF="eth1"
> > EXTIF="eth0"
> >
> > echo " Enabling forwarding.. "
> >
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> >
> > echo " Clearing existing rules... "
> >
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -F INPUT
> > $IPTABLES -P OUTPUT DROP
> > $IPTABLES -F OUTPUT
> > $IPTABLES -P FORWARD DROP
> > $IPTABLES -F FORWARD
> > $IPTABLES -F -t nat
> > $IPTABLES -X
> > $IPTABLES -Z
> >
> >
> > $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
> >
> > $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
> >
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT -v
> >
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT -v
> >
> >
> > This settings are enough ? Do i need somethig more ?
> >
> > I'll appreciate a lot any help,
> >
> >
> > Karina
> >
> >
> >

--
Karina Gómez

Re: Slow performance - Trouble with IPtables rules

[Karina Gómez Salgado]

I tought to restrict  IP Class subnets in the interfaces, but i tought to do it
later.

What i want to implement is a simple gateway to the Internet for the internal
network, i don't want masquerading or a complex firewall. I only want to give
internet access to the LAN, and force a Squid transparent proxy.  (i have the
redirect rule commented , but i tested before and it seems to work).

So basically ,and before the squid redirection,  i want to give internet access
to my lan without masq, without filters. This rules seems to work but not  in the
optimal way because there are delays in the display of the web pages, the email
downloading etc., even with only 1 or 2 computers connected in the lan.

I hope that i could to explain it .

Thanks for all your help,

KarinaI



Antony Stone wrote:

> On Wednesday 03 July 2002 7:41 pm, Karina Gómez Salgado wrote:
>
> > The rules i'm using are these:
> > --------------------------------
> >
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -P OUTPUT DROP
> > $IPTABLES -P FORWARD DROP
> >
> > $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
> >
> > $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j ACCEPT -v
> >
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT -v
> >
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT -v
>
> So, you're setting a default policy of DROP on INPUT, FORWARD and OUTPUT -
> very good.
>
> Then, you're allowing absolutely everything in, from anywhere, you're
> allowing absolutely everything out, to anywhere, you're forwarding everything
> from the outside to the inside, and you're forwading everything from the
> inside to the outside.
>
> This is not a firewall, this is a complex way to plug the Internet into your
> network.
>
> What do you want to allow, and what do you want to block ?   These rules ar
> doing nothing for you.
>
>
>
> Antony.

--
Karina Gómez