I have a linux box acting as a router/gateway between the internet, a public network and a private LAN. We are using iptables to SNAT our LAN. The setup for this is quite simple:
Code:
IPTABLES=`which iptables`
LAN=eth0
WAN=eth1
PUB=eth2
LAN_BLOCK=192.168.16.0/24
NAT_SOURCE=1.2.3.4
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $WAN -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $LAN -o $PUB -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $PUB -o $LAN -m state --state NEW -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $WAN -s $LAN_BLOCK -j SNAT --to-source $NAT_SOURCE
With these rules, I get great download performance, regardless of protocol (sftp, ftp, http, etc).
Uploads, however, are a different story. I believe that the source of this issue is the NATing because if I upload to the same server from a box that isn't being NATed (e.g. in the public block), upload speeds are an order of magnitude greater when not being NATed, regardless of protocol. For example, if I upload a file from one of our public servers to a remote location, it will upload at about 500Kb/s. The same upload to the same location with within the LAN won't see more than 35Kb/s.
I'm not doing any kind of fancy traffic control or anything like that. I would expect to see some slowdown because of the NAT (for example, downloads are 600Kb/s vs 500Kb/s through the NAT), but this kind of slowdown seems a bit ridiculous.
Any suggestions on things to check? I'm running a custom 2.6.30.3 kernel.
