LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTABLES: drastic decrease in ping time (http://www.linuxquestions.org/questions/linux-networking-3/iptables-drastic-decrease-in-ping-time-4175451842/)

DBabo 02-26-2013 10:10 PM

IPTABLES: drastic decrease in ping time
 
Hello,
some long time ago a few nice souls helped me here to learn basics of iptables. I hope i can get insight in what a hell i'm doing wrong now.

I have 2 clients RHEL 6.3 server with iptables with 10MBps ehternet connection to router running ddwrt and Raspberry PI on USB wifi (n) stick.
Here are ping times to yahoo.com from both clients as well as their routing tables. The internal network is 192.16.8.1.X with router 192.168.1.1

Question:
why iptables take so much time to process = basically 6X time without iptables?
Is there something wrong with my rules?
What's the general* time penalty?

* I know that's a very inaccurate word, but at least something i can measure against...

PI:
Code:

ping yahoo.com
PING yahoo.com (98.138.253.109) 56(84) bytes of data.
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=1 ttl=50 time=151 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=2 ttl=50 time=175 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=3 ttl=50 time=198 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=4 ttl=50 time=99.8 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=5 ttl=50 time=245 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=6 ttl=50 time=83.5 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=7 ttl=49 time=190 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=8 ttl=50 time=79.2 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=9 ttl=50 time=134 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=10 ttl=50 time=260 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=11 ttl=49 time=85.0 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=12 ttl=50 time=125 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=13 ttl=49 time=331 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=14 ttl=49 time=253 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=15 ttl=49 time=173 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=16 ttl=50 time=196 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=17 ttl=50 time=80.3 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=18 ttl=50 time=88.1 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=19 ttl=49 time=163 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=20 ttl=49 time=289 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=21 ttl=49 time=129 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=22 ttl=50 time=233 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=23 ttl=50 time=85.8 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=24 ttl=49 time=178 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=25 ttl=49 time=204 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=26 ttl=49 time=226 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=28 ttl=49 time=165 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=29 ttl=50 time=98.3 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=30 ttl=50 time=314 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=31 ttl=49 time=235 ms
^C
--- yahoo.com ping statistics ---
31 packets transmitted, 30 received, 3% packet loss, time 30022ms
rtt min/avg/max/mdev = 79.228/175.974/331.077/72.021 ms

route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
default        192.168.1.1    0.0.0.0        UG    0      0        0 wlan0
192.168.1.0    *              255.255.255.0  U    0      0        0 wlan0


from server with iptables up
Code:

[root@server ~]# ping yahoo.com
PING yahoo.com (98.139.183.24) 56(84) bytes of data.
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=1 ttl=52 time=717 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=2 ttl=52 time=703 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=3 ttl=52 time=859 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=4 ttl=52 time=785 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=5 ttl=52 time=680 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=6 ttl=52 time=603 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=7 ttl=52 time=581 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=8 ttl=52 time=586 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=9 ttl=52 time=631 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=10 ttl=52 time=685 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=11 ttl=52 time=618 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=12 ttl=52 time=580 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=13 ttl=52 time=688 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=14 ttl=52 time=746 ms
^C
--- yahoo.com ping statistics ---
15 packets transmitted, 14 received, 6% packet loss, time 14347ms
rtt min/avg/max/mdev = 580.052/676.263/859.350/80.163 ms

from server with iptables down
Code:

[root@server ~]# ping yahoo.com
PING yahoo.com (206.190.36.45) 56(84) bytes of data.
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=1 ttl=47 time=137 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=2 ttl=48 time=212 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=3 ttl=49 time=118 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=4 ttl=48 time=184 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=5 ttl=48 time=149 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=6 ttl=48 time=97.9 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=7 ttl=47 time=115 ms
^C
--- yahoo.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6714ms
rtt min/avg/max/mdev = 97.906/145.214/212.803/37.921 ms

routing on server :
Code:

route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
192.168.1.0    *              255.255.255.0  U    0      0        0 eth0
192.168.56.0    *              255.255.255.0  U    0      0        0 vboxnet0
link-local      *              255.255.0.0    U    1002  0        0 eth0
default        192.168.1.1    0.0.0.0        UG    0      0        0 eth0

CPU
model name : AMD Phenom(tm) II X4 830 Processor

iptables:
Code:

#!/bin/sh -x
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

IPT="/sbin/iptables"


$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT


$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

#FTP
#$IPT -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
#$IPT -A INPUT -p TCP -i eth0 --dport 20 -m state --state NEW -j ACCEPT

#WEB
#$IPT -A INPUT -p TCP -i eth0 --dport 80 -m state --state NEW -j ACCEPT
#$IPT -A INPUT -p TCP -i eth0 --dport 443 -m state --state NEW -j ACCEPT

#GIT
#$IPT -A INPUT -p TCP -i eth0 --dport 9418 -m state --state NEW -j ACCEPT

#Torrent/ Transmission
#$IPT -A INPUT -p TCP -i eth0 --dport 6881:6999 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 --dport 51413 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i eth0 --dport 51413 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 --dport 59300 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i eth0 --dport 59300 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 --dport 19377 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i eth0 --dport 19377 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT

#Oracle OEM
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 3938 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 1158 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 1521 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 7780 -m state --state NEW -j ACCEPT

#POSTGRES
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 5432 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i vboxnet0 -s 192.168.56.0/24 --dport 5432 -m state --state NEW -j ACCEPT

#NTP
#$IPT -A INPUT -p UDP -i eth0 --dport 123 -m state --state NEW -j ACCEPT

#SAMBA
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT

# For laptop
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 524 -j ACCEPT


#SSH for tunnel only
$IPT -A INPUT -s 194.28.84.12 -m state --state NEW -m tcp -p tcp --sport 22 -j ACCEPT

$IPT -A INPUT -j ULOG --ulog-prefix "INPUT DROP: "

#DROP everything for Betfair, BestPoker and Ongame

$IPT -A OUTPUT -p TCP -o eth0 -d 77.68.63.0/24,66.212.235.0/24,87.248.217.0/24,84.20.200.0/24,84.20.200.0/24,66.212.235.0/24,87.248.217.0/24,46.20.118.0/24,109.202.112.0/24 -m state --state NEW,RELATED,ESTABLISHED -j DROP


$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

#SSH
$IPT -A OUTPUT -p TCP -o eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0  --dport 22 -m owner --uid-owner az -m state --state NEW -j ACCEPT

# Web.
$IPT -A OUTPUT -p TCP -o eth0 --dport 80  -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 8080  -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 8000  -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 443 -m state --state NEW -j ACCEPT

#DNS lookup
$IPT -A OUTPUT -p UDP -o eth0 --dport 53  -m state --state new -j ACCEPT

#GIT
$IPT -A OUTPUT -p TCP -o eth0 --dport 9418 -m state --state NEW -j ACCEPT

#NTP
$IPT -A OUTPUT -p UDP -o eth0 --dport 123 -m state --state NEW -j ACCEPT

#FTP
$IPT -A OUTPUT -p TCP -o eth0 -m multiport --dport 20:21 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 -m multiport --dport 200:210 -m state --state NEW -j ACCEPT

#POSTGRES
$IPT -A OUTPUT -p TCP -o vboxnet0 -d 192.168.56.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT

#RPM
#$IPT -A OUTPUT -p TCP -o eth0 --dport 21 -m owner --uid-owner root -m state --state NEW -j ACCEPT
#$IPT -A OUTPUT -p TCP -o eth0 --dport 22 -m owner --uid-owner root -m state --state NEW -j ACCEPT

#Torrent
#$IPT -A OUTPUT -p TCP -o eth0 --sport 30000:60000 -m state --state new -j ACCEPT
#$IPT -A OUTPUT -p TCP -o eth0 --sport 6881:6999 -m state --state new -j ACCEPT
#$IPT -A OUTPUT -p UDP -o eth0 --sport 6881        -m state --state new -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --sport 51413 -m state --state new -j ACCEPT
$IPT -A OUTPUT -p UDP -o eth0 --sport 51413 -m state --state new -j ACCEPT
#$IPT -A OUTPUT -p UDP -o eth0 --sport 6881        -m state --state new -j ACCEPT

#SAMBA
$IPT -A OUTPUT -p UDP -o eth0 -m state --state NEW --dport 137 -j ACCEPT
$IPT -A OUTPUT -p UDP -o eth0 -m state --state NEW --dport 138 -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 -m state --state NEW --dport 139 -j ACCEPT

## TRACEROUTE
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule.
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"

$IPT -A OUTPUT -o eth0 -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m state --state NEW -j ACCEPT

# ICMP
# We always allow icmp out. ICMP is for tracert
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -j ULOG --ulog-prefix "OUTPUT DROP: "


acid_kewpie 02-27-2013 02:56 PM

you're pinging different IP addresses! this means nothing at all if you're hitting different remote sites!

DBabo 02-27-2013 04:23 PM

uhhh. that was a huge oversight on my part.

Code:

service iptables stop
iptables: Flushing firewall rules:                        [  OK  ]
iptables: Setting chains to policy ACCEPT: filter nat mangl[  OK  ]
iptables: Unloading modules:                              [  OK  ]
[root@server ~]# ping 206.190.36.45
PING 206.190.36.45 (206.190.36.45) 56(84) bytes of data.
64 bytes from 206.190.36.45: icmp_seq=1 ttl=48 time=534 ms
64 bytes from 206.190.36.45: icmp_seq=2 ttl=49 time=482 ms
64 bytes from 206.190.36.45: icmp_seq=3 ttl=47 time=532 ms
64 bytes from 206.190.36.45: icmp_seq=4 ttl=49 time=513 ms
64 bytes from 206.190.36.45: icmp_seq=5 ttl=48 time=601 ms
64 bytes from 206.190.36.45: icmp_seq=6 ttl=47 time=577 ms
64 bytes from 206.190.36.45: icmp_seq=7 ttl=47 time=640 ms
64 bytes from 206.190.36.45: icmp_seq=8 ttl=47 time=755 ms
64 bytes from 206.190.36.45: icmp_seq=9 ttl=48 time=701 ms
64 bytes from 206.190.36.45: icmp_seq=10 ttl=48 time=614 ms
^C
--- 206.190.36.45 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9917ms
rtt min/avg/max/mdev = 482.303/595.312/755.650/81.714 ms
[root@server ~]# service iptables start
iptables: Applying firewall rules:                        [  OK  ]
[root@server ~]#
[root@server ~]# ping 206.190.36.45
PING 206.190.36.45 (206.190.36.45) 56(84) bytes of data.
64 bytes from 206.190.36.45: icmp_seq=1 ttl=48 time=800 ms
64 bytes from 206.190.36.45: icmp_seq=2 ttl=47 time=861 ms
64 bytes from 206.190.36.45: icmp_seq=3 ttl=49 time=840 ms
64 bytes from 206.190.36.45: icmp_seq=4 ttl=49 time=826 ms
64 bytes from 206.190.36.45: icmp_seq=5 ttl=47 time=922 ms
64 bytes from 206.190.36.45: icmp_seq=6 ttl=47 time=894 ms
64 bytes from 206.190.36.45: icmp_seq=7 ttl=48 time=980 ms
64 bytes from 206.190.36.45: icmp_seq=8 ttl=48 time=922 ms
64 bytes from 206.190.36.45: icmp_seq=9 ttl=48 time=850 ms
64 bytes from 206.190.36.45: icmp_seq=10 ttl=49 time=854 ms
64 bytes from 206.190.36.45: icmp_seq=11 ttl=47 time=874 ms
64 bytes from 206.190.36.45: icmp_seq=12 ttl=49 time=805 ms
64 bytes from 206.190.36.45: icmp_seq=13 ttl=48 time=779 ms
64 bytes from 206.190.36.45: icmp_seq=14 ttl=47 time=809 ms
64 bytes from 206.190.36.45: icmp_seq=15 ttl=48 time=811 ms
64 bytes from 206.190.36.45: icmp_seq=16 ttl=49 time=792 ms
64 bytes from 206.190.36.45: icmp_seq=17 ttl=48 time=802 ms
^C
--- 206.190.36.45 ping statistics ---
18 packets transmitted, 17 received, 5% packet loss, time 17492ms


so around 200-300 ms with iptables on. Is that "normal" ?

d4nt3 02-27-2013 05:11 PM

same problem
 
I have the same problem.
But I know where's mine.
It all began when I selected packages from a ip range for redirect to a chain... like this

iptables -A INPUT ! -s 192.168.0.0/16 -j internet
iptables -A INPUT -s 192.168.0.0/16 -j localnetwork

before those rules I wore

iptables -A INPUT -i eth0 -j internet
iptables -A INPUT -i wlan0 -j localnetwork

and packages were 2x faster to reach any external ip.

Anyone knows if that is realy true or there are some problem with my system?
There's any way to fix this?

DBabo 02-27-2013 07:17 PM

Quote:

Originally Posted by d4nt3 (Post 4901175)
I have the same problem.
But I know where's mine.
It all began when I selected packages from a ip range for redirect to a chain... like this

iptables -A INPUT ! -s 192.168.0.0/16 -j internet
iptables -A INPUT -s 192.168.0.0/16 -j localnetwork

before those rules I wore

iptables -A INPUT -i eth0 -j internet
iptables -A INPUT -i wlan0 -j localnetwork

and packages were 2x faster to reach any external ip.

Anyone knows if that is realy true or there are some problem with my system?
There's any way to fix this?

I was advised to look into creating user chains as subroutines to handle as many addresses as possible in a single execution. I haven't had time to look into this. Maybe you can?

d4nt3 02-27-2013 08:25 PM

Quote:

Originally Posted by DBabo (Post 4901245)
I was advised to look into creating user chains as subroutines to handle as many addresses as possible in a single execution. I haven't had time to look into this. Maybe you can?

Can you explaing me this procedure better?

I had created some chains and redirected packages and it worked fine, until I changed the method from source interface for ip range.

even when I run "iptables -L -v" it take a while before show the rules that I told here before about ip range and its specifications.

DBabo 02-28-2013 01:08 AM

Quote:

Originally Posted by d4nt3 (Post 4901278)
Can you explaing me this procedure better?

I had created some chains and redirected packages and it worked fine, until I changed the method from source interface for ip range.

even when I run "iptables -L -v" it take a while before show the rules that I told here before about ip range and its specifications.

no idea @ this point. I need a few quite hours to read on this.

jschiwal 02-28-2013 02:22 AM

I copied post #4 to its own thread due to " Anyone knows if that is realy (sic) true or there are some problem with my system? There's any way to fix this?"

If you wish to help d4nt3, please do so in that thread.
http://www.linuxquestions.org/questi...3/#post4901432

acid_kewpie 02-28-2013 02:36 AM

OK, so the ICMP rules on OUTPUT are right at the very bottom of the list, which is not what you'd normally see. You'd only not see them there though as they're generally just part of a bumpf at the start, with the conntrack entries before you have the "interesting" bits below. But if you do move that up above all the "NEW"s it'll presumably get faster, but then note that that pushes everything else down one more, makign those a tad slower in theory each time.

Rather than turning iptables off completely, try just flushing OUTPUT, so all the other rules still exist. Note that as the conntrack stuff will greatly affect all UDP and TCP connections once they're established, this delay you're seeing is going to be the very worst data flow your rule set could encounter - a non-stateful flow at the bottom of the list.

Also I'd move that betfair entry to below the ESTABLISHED line, shouldn't make a difference to that order really, as teh NEW connections still can't start and will halve (ie.. 2 to 1) the number of rules all other established data will hit.


All times are GMT -5. The time now is 03:49 AM.