|
bittorrent / iptables (?) problem (works more or less :x)
hi
iam having trouble with bittorrent and my gateway (slack 9.1) i launch the dowloads directly on my gw with screen...it actually works, but very bad... the d/l rate is between a few hundreds bytes/s and 4-6k/s when it works good :/ ive also tried on a win2k box behind the gw, but i get timouts and it also doesnt work well... ( im speaking of recent bt with a lot of seeders an leechers...) below is my fw script and a few cmds outputs... am i missing sth ? (btw i have an adsl 512k) thanx for any help and sorry for my english ^^ tihis one has 80 seeds and 80 leechers... ( i used to d/l at more than 40k/s one month ago :/) file: [AonE]_Gungrave_22_[134772B0].avi | | size: 193,798,144 (184.8 MB) | | dest: /home/nei/dl/[AonE]_Gungrave_22_[134772B0].avi | | progress: | | status: finishing in 20:35:33 (82.3%) | | speed: 1.3 KB/s down - 10.4 KB/s up | | totals: 6.5 MB down - 64.8 MB up root@syhknosys:~# cat /etc/rc.d/rc.firewall #/bin/bash IPTABLES=/usr/local/sbin/iptables #--------------------------------------------------------------------# echo "1" > /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo "0" > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies echo "1" > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo "1" > /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range #echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout echo "2400" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack #--------------------------------------------------------------------# #Flush the tables $IPTABLES -t filter -F $IPTABLES -t filter -X $IPTABLES -t nat -F $IPTABLES -t nat -X $IPTABLES -t mangle -F $IPTABLES -t mangle -X #--------------------------------------------------------------------# #Setting policies on filter table $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP #--------------------------------------------------------------------# #Setting policies on the other tables $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT #--------------------------------------------------------------------# #ACCEPTing ourselves $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT #ACCEPTing lan packets $IPTABLES -A INPUT -i eth0 -j ACCEPT $IPTABLES -A OUTPUT -o eth0 -m state --state NEW -j LOG --log-prefix="[eth0]new connection:" $IPTABLES -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i eth1 -j ACCEPT $IPTABLES -A OUTPUT -o eth1 -m state --state NEW -j LOG --log-prefix="[eth1]new connection:" $IPTABLES -A OUTPUT -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT #ACCEPTing wlan packets $IPTABLES -A INPUT -i wlan0 -j ACCEPT $IPTABLES -A OUTPUT -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT #FW has internet... $IPTABLES -A OUTPUT -o ppp0 -j ACCEPT $IPTABLES -A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT #--------------------------------------------------------------------# #NATing $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 192.168.16.0/24 -o ppp0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 192.168.11.0/24 -o ppp0 -j MASQUERADE #Conntrack: FORWARDing everything from the LAN/WLAN to the Net $IPTABLES -A FORWARD -i eth0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i eth1 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i wlan0 -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #...allowing valid, already established connections from the Net $IPTABLES -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i ppp0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT #.... $IPTABLES -A FORWARD -i eth1 -o eth0 -m state --state ! INVALID -j ACCEPT $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ! INVALID -j ACCEPT #... #--------------------------------------------------------------------# #misc...-p icmp -m state --state RELATED -j ACCEPT $IPTABLES -A INPUT -p icmp -j ACCEPT $IPTABLES -A OUTPUT -p icmp -j ACCEPT #ACCEPTing a few things for now: $IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT $IPTABLES -A INPUT -p tcp --dport http -j ACCEPT #dns :p $IPTABLES -A INPUT -i ppp0 -p udp --sport 53 --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT # ! bittorrent ... iptables -A INPUT -i ppp0 -p tcp --dport 6881:6889 -j ACCEPT iptables -A INPUT -i ppp0 -p tcp --dport 6969 -j ACCEPT #test ! bittorrent ... #iptables -A INPUT -i ppp0 -p tcp --dport 6000:7000 -j ACCEPT root@syhknosys:~# netstat -nap --ip |grep 688 tcp 0 0 0.0.0.0:6881 0.0.0.0:* LISTEN 16026/python tcp 0 0 82.x4.14.xx:6881 65.33.21.184:3799 SYN_RECV - tcp 0 0 0.0.0.0:6882 0.0.0.0:* LISTEN 4093/python tcp 0 0 82.x4.14.xx:6881 24.210.200.68:1124 TIME_WAIT - tcp 0 1 82.x4.14.xx:6881 80.223.145.248:1425 FIN_WAIT1 - tcp 0 1 82.x4.14.xx:6881 24.197.24.203:1564 FIN_WAIT1 - tcp 0 0 82.x4.14.xx:6881 66.111.59.20:50548 ESTABLISHED 16026/python root@syhknosys:~# uname -a Linux syhknosys 2.4.25-grsec #1 Sun Feb 22 19:21:25 CET 2004 i686 unknown unknown GNU/Linux heres a bt screensht... file: Kenichi_Sonoda_-_Gallant_(DPG_-_4D1D5B86)_www.animeart.com.ar.zip | | size: 164,025,486 (156.4 MB) | | dest: /home/nei/dl/Kenichi_Sonoda_-_Gallant_(DPG_-_4D1D5B86)_www.animeart.com.ar.zip | | progress: #############################################################______________ | | status: finishing in 22:58:28 (88.7%) | | speed: 6 B/s down - 1.5 KB/s up | | totals: 58.1 MB down - 135.0 MB up | | error(s): [09:27:07] Problem connecting to tracker - timeout exceeded | |
:'(
|
I got something similar setup on my firewall, although it's not a gateway.
Maybe you should try adjusting your bittorrent section a bit to look like: Code:
# ! bittorrent ... |
| All times are GMT -5. The time now is 03:53 PM. |