LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-26-2013, 11:10 PM   #1
DBabo
Member
 
Registered: Feb 2003
Distribution: Scientific Linux 6
Posts: 387

Rep: Reputation: 33
IPTABLES: drastic decrease in ping time


Hello,
some long time ago a few nice souls helped me here to learn basics of iptables. I hope i can get insight in what a hell i'm doing wrong now.

I have 2 clients RHEL 6.3 server with iptables with 10MBps ehternet connection to router running ddwrt and Raspberry PI on USB wifi (n) stick.
Here are ping times to yahoo.com from both clients as well as their routing tables. The internal network is 192.16.8.1.X with router 192.168.1.1

Question:
why iptables take so much time to process = basically 6X time without iptables?
Is there something wrong with my rules?
What's the general* time penalty?

* I know that's a very inaccurate word, but at least something i can measure against...

PI:
Code:
ping yahoo.com
PING yahoo.com (98.138.253.109) 56(84) bytes of data.
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=1 ttl=50 time=151 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=2 ttl=50 time=175 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=3 ttl=50 time=198 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=4 ttl=50 time=99.8 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=5 ttl=50 time=245 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=6 ttl=50 time=83.5 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=7 ttl=49 time=190 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=8 ttl=50 time=79.2 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=9 ttl=50 time=134 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=10 ttl=50 time=260 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=11 ttl=49 time=85.0 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=12 ttl=50 time=125 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=13 ttl=49 time=331 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=14 ttl=49 time=253 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=15 ttl=49 time=173 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=16 ttl=50 time=196 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=17 ttl=50 time=80.3 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=18 ttl=50 time=88.1 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=19 ttl=49 time=163 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=20 ttl=49 time=289 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=21 ttl=49 time=129 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=22 ttl=50 time=233 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=23 ttl=50 time=85.8 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=24 ttl=49 time=178 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=25 ttl=49 time=204 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=26 ttl=49 time=226 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=28 ttl=49 time=165 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=29 ttl=50 time=98.3 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=30 ttl=50 time=314 ms
64 bytes from ir1.fp.vip.ne1.yahoo.com (98.138.253.109): icmp_req=31 ttl=49 time=235 ms
^C
--- yahoo.com ping statistics ---
31 packets transmitted, 30 received, 3% packet loss, time 30022ms
rtt min/avg/max/mdev = 79.228/175.974/331.077/72.021 ms

route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0
192.168.1.0     *               255.255.255.0   U     0      0        0 wlan0

from server with iptables up
Code:
[root@server ~]# ping yahoo.com
PING yahoo.com (98.139.183.24) 56(84) bytes of data.
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=1 ttl=52 time=717 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=2 ttl=52 time=703 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=3 ttl=52 time=859 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=4 ttl=52 time=785 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=5 ttl=52 time=680 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=6 ttl=52 time=603 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=7 ttl=52 time=581 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=8 ttl=52 time=586 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=9 ttl=52 time=631 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=10 ttl=52 time=685 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=11 ttl=52 time=618 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=12 ttl=52 time=580 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=13 ttl=52 time=688 ms
64 bytes from ir2.fp.vip.bf1.yahoo.com (98.139.183.24): icmp_seq=14 ttl=52 time=746 ms
^C
--- yahoo.com ping statistics ---
15 packets transmitted, 14 received, 6% packet loss, time 14347ms
rtt min/avg/max/mdev = 580.052/676.263/859.350/80.163 ms
from server with iptables down
Code:
[root@server ~]# ping yahoo.com
PING yahoo.com (206.190.36.45) 56(84) bytes of data.
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=1 ttl=47 time=137 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=2 ttl=48 time=212 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=3 ttl=49 time=118 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=4 ttl=48 time=184 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=5 ttl=48 time=149 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=6 ttl=48 time=97.9 ms
64 bytes from ir1.fp.vip.gq1.yahoo.com (206.190.36.45): icmp_seq=7 ttl=47 time=115 ms
^C
--- yahoo.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6714ms
rtt min/avg/max/mdev = 97.906/145.214/212.803/37.921 ms
routing on server :
Code:
route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
192.168.56.0    *               255.255.255.0   U     0      0        0 vboxnet0
link-local      *               255.255.0.0     U     1002   0        0 eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
CPU
model name : AMD Phenom(tm) II X4 830 Processor

iptables:
Code:
#!/bin/sh -x
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

IPT="/sbin/iptables"


$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT


$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

#FTP
#$IPT -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
#$IPT -A INPUT -p TCP -i eth0 --dport 20 -m state --state NEW -j ACCEPT

#WEB
#$IPT -A INPUT -p TCP -i eth0 --dport 80 -m state --state NEW -j ACCEPT
#$IPT -A INPUT -p TCP -i eth0 --dport 443 -m state --state NEW -j ACCEPT

#GIT
#$IPT -A INPUT -p TCP -i eth0 --dport 9418 -m state --state NEW -j ACCEPT

#Torrent/ Transmission
#$IPT -A INPUT -p TCP -i eth0 --dport 6881:6999 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 --dport 51413 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i eth0 --dport 51413 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 --dport 59300 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i eth0 --dport 59300 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 --dport 19377 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p UDP -i eth0 --dport 19377 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT

#Oracle OEM
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 3938 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 1158 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 1521 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 7780 -m state --state NEW -j ACCEPT

#POSTGRES
$IPT -A INPUT -p TCP -i eth0 -s 192.168.1.0/24 --dport 5432 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i vboxnet0 -s 192.168.56.0/24 --dport 5432 -m state --state NEW -j ACCEPT

#NTP
#$IPT -A INPUT -p UDP -i eth0 --dport 123 -m state --state NEW -j ACCEPT

#SAMBA
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT

# For laptop
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/24 -m state --state NEW -m tcp -p tcp --dport 524 -j ACCEPT


#SSH for tunnel only
$IPT -A INPUT -s 194.28.84.12 -m state --state NEW -m tcp -p tcp --sport 22 -j ACCEPT

$IPT -A INPUT -j ULOG --ulog-prefix "INPUT DROP: "

#DROP everything for Betfair, BestPoker and Ongame

$IPT -A OUTPUT -p TCP -o eth0 -d 77.68.63.0/24,66.212.235.0/24,87.248.217.0/24,84.20.200.0/24,84.20.200.0/24,66.212.235.0/24,87.248.217.0/24,46.20.118.0/24,109.202.112.0/24 -m state --state NEW,RELATED,ESTABLISHED -j DROP 


$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

#SSH
$IPT -A OUTPUT -p TCP -o eth0 -d 192.168.1.0/24 --dport 22 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0  --dport 22 -m owner --uid-owner az -m state --state NEW -j ACCEPT

# Web.
$IPT -A OUTPUT -p TCP -o eth0 --dport 80  -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 8080  -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 8000  -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 443 -m state --state NEW -j ACCEPT

#DNS lookup
$IPT -A OUTPUT -p UDP -o eth0 --dport 53  -m state --state new -j ACCEPT

#GIT
$IPT -A OUTPUT -p TCP -o eth0 --dport 9418 -m state --state NEW -j ACCEPT

#NTP
$IPT -A OUTPUT -p UDP -o eth0 --dport 123 -m state --state NEW -j ACCEPT

#FTP
$IPT -A OUTPUT -p TCP -o eth0 -m multiport --dport 20:21 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 -m multiport --dport 200:210 -m state --state NEW -j ACCEPT

#POSTGRES
$IPT -A OUTPUT -p TCP -o vboxnet0 -d 192.168.56.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT

#RPM
#$IPT -A OUTPUT -p TCP -o eth0 --dport 21 -m owner --uid-owner root -m state --state NEW -j ACCEPT
#$IPT -A OUTPUT -p TCP -o eth0 --dport 22 -m owner --uid-owner root -m state --state NEW -j ACCEPT

#Torrent
#$IPT -A OUTPUT -p TCP -o eth0 --sport 30000:60000 -m state --state new -j ACCEPT
#$IPT -A OUTPUT -p TCP -o eth0 --sport 6881:6999 -m state --state new -j ACCEPT
#$IPT -A OUTPUT -p UDP -o eth0 --sport 6881	 -m state --state new -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --sport 51413 -m state --state new -j ACCEPT
$IPT -A OUTPUT -p UDP -o eth0 --sport 51413 -m state --state new -j ACCEPT
#$IPT -A OUTPUT -p UDP -o eth0 --sport 6881	 -m state --state new -j ACCEPT

#SAMBA
$IPT -A OUTPUT -p UDP -o eth0 -m state --state NEW --dport 137 -j ACCEPT
$IPT -A OUTPUT -p UDP -o eth0 -m state --state NEW --dport 138 -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 -m state --state NEW --dport 139 -j ACCEPT

## TRACEROUTE
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule.
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"

$IPT -A OUTPUT -o eth0 -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS -m state --state NEW -j ACCEPT

# ICMP
# We always allow icmp out. ICMP is for tracert
iptables -A OUTPUT -o eth0 -p icmp -m state --state NEW -j ACCEPT 

$IPT -A OUTPUT -j ULOG --ulog-prefix "OUTPUT DROP: "
 
Old 02-27-2013, 03:56 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
you're pinging different IP addresses! this means nothing at all if you're hitting different remote sites!
 
1 members found this post helpful.
Old 02-27-2013, 05:23 PM   #3
DBabo
Member
 
Registered: Feb 2003
Distribution: Scientific Linux 6
Posts: 387

Original Poster
Rep: Reputation: 33
uhhh. that was a huge oversight on my part.

Code:
service iptables stop
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter nat mangl[  OK  ]
iptables: Unloading modules:                               [  OK  ]
[root@server ~]# ping 206.190.36.45
PING 206.190.36.45 (206.190.36.45) 56(84) bytes of data.
64 bytes from 206.190.36.45: icmp_seq=1 ttl=48 time=534 ms
64 bytes from 206.190.36.45: icmp_seq=2 ttl=49 time=482 ms
64 bytes from 206.190.36.45: icmp_seq=3 ttl=47 time=532 ms
64 bytes from 206.190.36.45: icmp_seq=4 ttl=49 time=513 ms
64 bytes from 206.190.36.45: icmp_seq=5 ttl=48 time=601 ms
64 bytes from 206.190.36.45: icmp_seq=6 ttl=47 time=577 ms
64 bytes from 206.190.36.45: icmp_seq=7 ttl=47 time=640 ms
64 bytes from 206.190.36.45: icmp_seq=8 ttl=47 time=755 ms
64 bytes from 206.190.36.45: icmp_seq=9 ttl=48 time=701 ms
64 bytes from 206.190.36.45: icmp_seq=10 ttl=48 time=614 ms
^C
--- 206.190.36.45 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9917ms
rtt min/avg/max/mdev = 482.303/595.312/755.650/81.714 ms
[root@server ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
[root@server ~]# 
[root@server ~]# ping 206.190.36.45
PING 206.190.36.45 (206.190.36.45) 56(84) bytes of data.
64 bytes from 206.190.36.45: icmp_seq=1 ttl=48 time=800 ms
64 bytes from 206.190.36.45: icmp_seq=2 ttl=47 time=861 ms
64 bytes from 206.190.36.45: icmp_seq=3 ttl=49 time=840 ms
64 bytes from 206.190.36.45: icmp_seq=4 ttl=49 time=826 ms
64 bytes from 206.190.36.45: icmp_seq=5 ttl=47 time=922 ms
64 bytes from 206.190.36.45: icmp_seq=6 ttl=47 time=894 ms
64 bytes from 206.190.36.45: icmp_seq=7 ttl=48 time=980 ms
64 bytes from 206.190.36.45: icmp_seq=8 ttl=48 time=922 ms
64 bytes from 206.190.36.45: icmp_seq=9 ttl=48 time=850 ms
64 bytes from 206.190.36.45: icmp_seq=10 ttl=49 time=854 ms
64 bytes from 206.190.36.45: icmp_seq=11 ttl=47 time=874 ms
64 bytes from 206.190.36.45: icmp_seq=12 ttl=49 time=805 ms
64 bytes from 206.190.36.45: icmp_seq=13 ttl=48 time=779 ms
64 bytes from 206.190.36.45: icmp_seq=14 ttl=47 time=809 ms
64 bytes from 206.190.36.45: icmp_seq=15 ttl=48 time=811 ms
64 bytes from 206.190.36.45: icmp_seq=16 ttl=49 time=792 ms
64 bytes from 206.190.36.45: icmp_seq=17 ttl=48 time=802 ms
^C
--- 206.190.36.45 ping statistics ---
18 packets transmitted, 17 received, 5% packet loss, time 17492ms

so around 200-300 ms with iptables on. Is that "normal" ?
 
Old 02-27-2013, 06:11 PM   #4
d4nt3
LQ Newbie
 
Registered: Feb 2013
Posts: 10

Rep: Reputation: Disabled
Question same problem

I have the same problem.
But I know where's mine.
It all began when I selected packages from a ip range for redirect to a chain... like this

iptables -A INPUT ! -s 192.168.0.0/16 -j internet
iptables -A INPUT -s 192.168.0.0/16 -j localnetwork

before those rules I wore

iptables -A INPUT -i eth0 -j internet
iptables -A INPUT -i wlan0 -j localnetwork

and packages were 2x faster to reach any external ip.

Anyone knows if that is realy true or there are some problem with my system?
There's any way to fix this?
 
Old 02-27-2013, 08:17 PM   #5
DBabo
Member
 
Registered: Feb 2003
Distribution: Scientific Linux 6
Posts: 387

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by d4nt3 View Post
I have the same problem.
But I know where's mine.
It all began when I selected packages from a ip range for redirect to a chain... like this

iptables -A INPUT ! -s 192.168.0.0/16 -j internet
iptables -A INPUT -s 192.168.0.0/16 -j localnetwork

before those rules I wore

iptables -A INPUT -i eth0 -j internet
iptables -A INPUT -i wlan0 -j localnetwork

and packages were 2x faster to reach any external ip.

Anyone knows if that is realy true or there are some problem with my system?
There's any way to fix this?
I was advised to look into creating user chains as subroutines to handle as many addresses as possible in a single execution. I haven't had time to look into this. Maybe you can?
 
Old 02-27-2013, 09:25 PM   #6
d4nt3
LQ Newbie
 
Registered: Feb 2013
Posts: 10

Rep: Reputation: Disabled
Question

Quote:
Originally Posted by DBabo View Post
I was advised to look into creating user chains as subroutines to handle as many addresses as possible in a single execution. I haven't had time to look into this. Maybe you can?
Can you explaing me this procedure better?

I had created some chains and redirected packages and it worked fine, until I changed the method from source interface for ip range.

even when I run "iptables -L -v" it take a while before show the rules that I told here before about ip range and its specifications.
 
Old 02-28-2013, 02:08 AM   #7
DBabo
Member
 
Registered: Feb 2003
Distribution: Scientific Linux 6
Posts: 387

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by d4nt3 View Post
Can you explaing me this procedure better?

I had created some chains and redirected packages and it worked fine, until I changed the method from source interface for ip range.

even when I run "iptables -L -v" it take a while before show the rules that I told here before about ip range and its specifications.
no idea @ this point. I need a few quite hours to read on this.
 
Old 02-28-2013, 03:22 AM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I copied post #4 to its own thread due to " Anyone knows if that is realy (sic) true or there are some problem with my system? There's any way to fix this?"

If you wish to help d4nt3, please do so in that thread.
http://www.linuxquestions.org/questi...3/#post4901432

Last edited by jschiwal; 02-28-2013 at 03:23 AM.
 
Old 02-28-2013, 03:36 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
OK, so the ICMP rules on OUTPUT are right at the very bottom of the list, which is not what you'd normally see. You'd only not see them there though as they're generally just part of a bumpf at the start, with the conntrack entries before you have the "interesting" bits below. But if you do move that up above all the "NEW"s it'll presumably get faster, but then note that that pushes everything else down one more, makign those a tad slower in theory each time.

Rather than turning iptables off completely, try just flushing OUTPUT, so all the other rules still exist. Note that as the conntrack stuff will greatly affect all UDP and TCP connections once they're established, this delay you're seeing is going to be the very worst data flow your rule set could encounter - a non-stateful flow at the bottom of the list.

Also I'd move that betfair entry to below the ESTABLISHED line, shouldn't make a difference to that order really, as teh NEW connections still can't start and will halve (ie.. 2 to 1) the number of rules all other established data will hit.
 
  


Reply

Tags
iptables, speed


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it possible to be able to decrease the time in booting on OS takes to boot in QEMU tkmsr Linux - Virtualization and Cloud 6 05-24-2010 03:34 AM
drastic speed differences on copying on hard disks lsu420luv Linux - Hardware 2 04-17-2006 11:50 AM
Any idea why this time I can not ping my LAN pc but can PING for ex. www.yahoo.com vakia Debian 5 09-28-2005 07:42 PM
Decrease Firefox loading time jrdioko Linux - Newbie 14 09-05-2005 03:19 PM
Bringing up ETH0 decrease time djcham Linux - Software 2 02-15-2005 08:19 PM


All times are GMT -5. The time now is 08:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration