Performance issues - iptables suggestions
Hello forum,
I have a pc acting as a router. There are 2 Ethernet cards,one of them connected to adsl modem and the other one to local switch.
I also have a VPN.
We have a lot of performance issues and I am suspecting that this has to do with the current iptables.
I have attached the rules in case that anyone can help to tune up a little bit the script.
I have replace public IPs with *
Thanks in advance
# Generated by iptables-save v1.2.11 on Thu Feb 8 13:44:03 2007
*nat
:PREROUTING ACCEPT [962:75024]
:POSTROUTING ACCEPT [3913:260714]
:OUTPUT ACCEPT [3562:231220]
-A PREROUTING -d 192.168.11.2 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.1.104:23
-A PREROUTING -d 192.168.11.2 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.1.248:110
-A PREROUTING -d 192.168.11.2 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.248:21
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.1.248:22
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.1.248:25
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.10.0/255.255.255.0 -o tun0 -j MASQUERADE
COMMIT
# Completed on Thu Feb 8 13:44:03 2007
# Generated by iptables-save v1.2.11 on Thu Feb 8 13:44:03 2007
*mangle
:PREROUTING ACCEPT [54163:24720008]
:INPUT ACCEPT [47865:23904283]
:FORWARD ACCEPT [6298:815725]
:OUTPUT ACCEPT [56954:10511166]
:POSTROUTING ACCEPT [63035:11315019]
COMMIT
# Completed on Thu Feb 8 13:44:03 2007
# Generated by iptables-save v1.2.11 on Thu Feb 8 13:44:03 2007
*filter
:INPUT DROP [140:8764]
:FORWARD DROP [217:11872]
:OUTPUT ACCEPT [56954:10511166]
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun0 -j ACCEPT
-A INPUT -s 139.*.*.* -p udp -m udp --sport 2222 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 192.168.11.0/255.255.255.0 -i eth0 -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 953 -j DROP
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -j LOG
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -s 139.*.*.*1 -p udp -m udp --dport 2222 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i eth1 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.104 -p tcp -m tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.248 -p tcp -m tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.248 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -s 139.*.*.* -p tcp -m tcp --sport 1194 -j ACCEPT
-A FORWARD -j LOG
-A OUTPUT -j LOG
COMMIT
# Completed on Thu Feb 8 13:44:03 2007
Last edited by asmar; 02-08-2007 at 07:00 AM.
|