netfilter / Win2k performance problems
Aaron D. Christian
adc002@alpha.morningside.edu
26 Jan 2002 23:19:50 -0600
I am currently using a RedHat 7.1/iptables/tc setup to share a cable
modem connection between various computers. My network consists of a
few Linux boxes, 2 win2k machines, and a few win9x as well.
The basic setup is as follows:
|-----------------| |---------------| |-----------------|
| | eth0 | Gateway | eth1 | My Network |
| Internet |--------| iptables/tc |--------| 172.17.x.x |
| | | | | |
|-----------------| |---------------| |-----------------|
I have set up iptables to disallow all incoming connections unless they
are related or established to a connection originating inside the
firewall. Using tc and QoS, I have set up sfq filters to split the
800Kbit/s download line fairly among the various machines on my network.
When I connect to the internet through the gateway box from one of my
linux machines, performance is astounding. The system works perfectly
and I can grab the full pipe of the cable modem. Routing always works
well. However, life is not so good in the windows world, especially
win2k. I am constantly running into routing and DNS errors, and
bandwidth peaks out at a third of what the linux machines get.
Could somebody on this list please provide some insight on how to
improve performance from the windows machines? I have attached both my
rc.firewall and rc.queue scripts. If there is anything I can tune,
please me know.
Aaron Christian
####### rc.firewall #######
#!/bin/sh
#
# Needed to automagically load kernel modules.
/sbin/depmod -a
# Load the NAT module (this pulls in all the others).
/sbin/modprobe iptable_nat
# Allow HTTP traffic through
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out eth0 (-o eth0) which says to
# MASQUERADE the connection (-j MASQUERADE).
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Create the block chain for blocking outside connections
/sbin/iptables -N block
# Allow DHCP requests to pass through
/sbin/iptables -A INPUT -p udp --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 68 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 67 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 68 -j ACCEPT
# Filter based on hardware addresses
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -m state --state NEW -s 172.17.243.0/24 -j ACCEPT
/sbin/iptables -A block -j REJECT
# Jump from INPUT and FORWARD to block chain
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j block
# Enable forwarding.
echo "1" > /proc/sys/net/ipv4/ip_forward
# Tell MASQ we have a dynamic IP address.
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
####### rc.queue #######
#!/bin/bash
# Set up downstream bandwidth qdisc and class.
/sbin/tc qdisc add dev eth1 root handle 10: cbq bandwidth 800Kbit avpkt 1000
/sbin/tc class add dev eth1 parent 10:0 classid 10:1 cbq bandwidth 800Kbit rate 800Kbit allot 1514 weight 100Kbit prio 8 maxburst 20 avpkt 1000
# Set up queues.
/sbin/tc class add dev eth1 parent 10:1 classid 10:100 cbq bandwidth 800Kbit rate 160Kbit allot 1514 weight 24Kbit prio 5 maxburst 20 avpkt 1000
/sbin/tc class add dev eth1 parent 10:1 classid 10:200 cbq bandwidth 800Kbit rate 160Kbit allot 1514 weight 24Kbit prio 5 maxburst 20 avpkt 1000
/sbin/tc class add dev eth1 parent 10:1 classid 10:300 cbq bandwidth 800Kbit rate 160Kbit allot 1514 weight 24Kbit prio 5 maxburst 20 avpkt 1000
/sbin/tc class add dev eth1 parent 10:1 classid 10:400 cbq bandwidth 800Kbit rate 160Kbit allot 1514 weight 24Kbit prio 5 maxburst 20 avpkt 1000
/sbin/tc class add dev eth1 parent 10;1 classid 10:500 cbq bandwidth 800Kbit rate 160Kbit allot 1514 weight 24Kbit prio 5 maxburst 20 avpkt 1000
# Tell how to manage queues.
/sbin/tc qdisc add dev eth1 parent 10:100 sfq quantum 1514b perturb 15
/sbin/tc qdisc add dev eth1 parent 10:200 sfq quantum 1514b perturb 15
/sbin/tc qdisc add dev eth1 parent 10:300 sfq quantum 1514b perturb 15
/sbin/tc qdisc add dev eth1 parent 10:400 sfq quantum 1514b perturb 15
/sbin/tc qdisc add dev eth1 parent 10:500 sfq quantum 1514b perturb 15
# Set up filters.
/sbin/tc filter add dev eth1 parent 10:0 protocol ip prio 100 u32 match ip dst 172.17.243.10 flowid 10:100
/sbin/tc filter add dev eth1 parent 10:0 protocol ip prio 100 u32 match ip dst 172.17.243.20 flowid 10:200
/sbin/tc filter add dev eth1 parent 10:0 protocol ip prio 100 u32 match ip dst 172.17.243.30 flowid 10:300
/sbin/tc filter add dev eth1 parent 10:0 protocol ip prio 100 u32 match ip dst 172.17.243.40 flowid 10:400
/sbin/tc filter add dev eth1 parent 10:0 protocol ip prio 100 u32 match ip dst 172.17.243.50 flowid 10:500
# Set up upstream bandwidth qdisc and class.
/sbin/tc qdisc add dev eth0 root handle 20: cbq bandwidth 200Kbit avpkt 1000
/sbin/tc class add dev eth0 parent 20:0 classid 20:1 cbq bandwidth 200Kbit rate 200Kbit allot 1514 weight 20Kbit prio 8 maxburst 20 avpkt 1000
# Set up queues.
/sbin/tc class add dev eth0 parent 20:1 classid 20:100 cbq bandwidth 200Kbit rate 40Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000 bounded
/sbin/tc class add dev eth0 parent 20:1 classid 20:200 cbq bandwidth 200Kbit rate 40Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000 bounded
/sbin/tc class add dev eth0 parent 20:1 classid 20:300 cbq bandwidth 200Kbit rate 40Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000 bounded
/sbin/tc class add dev eth0 parent 20:1 classid 20:400 cbq bandwidth 200Kbit rate 40Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000 bounded
/sbin/tc class add dev eth0 parent 20:1 classid 20:500 cbq bandwidth 200Kbit rate 40Kbit allot 1514 weight 6Kbit prio 5 maxburst 20 avpkt 1000 bounded
# Tell how to manage queues.
/sbin/tc qdisc add dev eth0 parent 20:100 sfq quantum 1514b perturb 15
/sbin/tc qdisc add dev eth0 parent 20:200 sfq quantum 1514b perturb 15
/sbin/tc qdisc add dev eth0 parent 20:300 sfq quantum 1514b perturb 15
/sbin/tc qdisc add dev eth0 parent 20:400 sfq quantum 1514b perturb 15echo
/sbin/tc qdisc add dev eth0 parent 20:500 sfq quantum 1514b perturb 15
# Set up filters.
/sbin/tc filter add dev eth0 parent 20:0 protocol ip prio 100 u32 match ip src 172.17.243.10 flowid 20:100
/sbin/tc filter add dev eth0 parent 20:0 protocol ip prio 100 u32 match ip src 172.17.243.20 flowid 20:200
/sbin/tc filter add dev eth0 parent 20:0 protocol ip prio 100 u32 match ip src 172.17.243.30 flowid 20:300
/sbin/tc filter add dev eth0 parent 20:0 protocol ip prio 100 u32 match ip src 172.17.243.40 flowid 20:400
/sbin/tc filter add dev eth0 parent 20:0 protocol ip prio 100 u32 match ip src 172.17.243.50 flowid 20:500