Trying to understand a performance problem - help please.

Alan Chandler alan at chandlerfamily.org.uk
Sun Apr 15 19:27:55 CEST 2007


I have a speed problem downloading from youtube.

I have a small lan at home, connected to the internet via a debian etch 
based linux box which (amongst a whole range of other things) acts as a 
route/nat gateway.

Downloading (using wget) from my desktop (another linux box - debian 
sid) videos from youtube I get about 7Kbytes/sec

Downloading from the nat/gateway itself I get about 80kbytes/sec, more 
than a 10 fold increase.

looking at detail at the network traffic, with downloading directly from 
the gateway I get a smooth pattern of in-order traffic, like this ...

youtube->me  http continuation seq 189688 next seq 191136
youtube->me  http continuation seq 191136 next seq 192584
me->youtube tcp ack seq no 192584
youtube->me  http continuation seq 192584 next seq 194032
...

looking at the traffic on the same interface when I initiate the request 
from the desktop I get

youtube->me http cont seq 4344 next seq 5792
me->youtube tcp ack seq 5792
youtube->me http cont seq 7240 next seq 8688
me->youtube dup ack seq 5792
youtube->me http cont seq 10136 next seq 11584
me->youtube dup ack seq 5792
youtube->me http cont seq 5790 next seq 7240
me->youtube tcp ack seq 8688
youtube->me http cont seq 8688 next seq 10136


As you can see, in this case, it appears that some packets are being 
lost and have to repeated via a dup ack.

I presume I can assume that youtube is actually sending the packets 
since it is clear in the earlier case that it does so (and pretty 
quickly too), so I think it might come down some reason that the 
packets are getting dropped before wireshark sees them.

I have an IPTABLES firewall on the gateway, but I can't see why that 
should effect things.  Can someone tell me

a) Whether wireshark sees the packets before they are processed by 
IPTABLES? (I want to see if there is a possibility that they reach the 
machine but iptables drops them)

b) is there anythink I might be doing in my firewall script that could 
cause only some packets to be dropped.  Script follows

#!/bin/sh
#
#

INETIF=eth0
KANGER="192.168.0.21"
POOH="192.168.0.22"
RABBIT="192.168.0.25"


test -x /sbin/iptables || exit 0

#set -e

#
#   Start up ensuring that the tables are all empty
#   (ignoring any errors because there is nothing there yet)
#
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD
    iptables -t nat -F PREROUTING
    iptables -t nat -F POSTROUTING
    iptables -t mangle -F OUTPUT
    iptables -F inet-in
    iptables -X inet-in 
    iptables -F inet-fwd 
    iptables -X inet-fwd 
    iptables -F from-inet
    iptables -X from-inet 
    iptables -F to-inet
    iptables -X to-inet 
    iptables -F i-estab
    iptables -X i-estab

#
#   This is for established communications coming in from the internet 
just
#   so that I can get an idea what sort of packets they are.
#
    iptables -N i-estab
    iptables -A i-estab -p tcp --sport www -j ACCEPT
    iptables -A i-estab -p tcp --sport imap -j ACCEPT
    iptables -A i-estab -p tcp --sport nntp -j ACCEPT
    iptables -A i-estab -p tcp --sport domain -j ACCEPT
    iptables -A i-estab -p tcp --dport ssh -j ACCEPT
    iptables -A i-estab -p tcp --sport ftp -j ACCEPT
    iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT
    iptables -A i-estab -p tcp --sport 9418 -j ACCEPT

#   Accept everything not so far accepted
    iptables -A i-estab -j ACCEPT
#
#   Route packets going out from here onto a new table so that we can do
#   things with them (logging etc)
#
    iptables -N to-inet
#
#   Just want to count a few things
#
    iptables -A to-inet -p tcp --dport www -j ACCEPT
    iptables -A to-inet -p tcp --dport imap -j ACCEPT
    iptables -A to-inet -p udp --dport domain -j ACCEPT
    iptables -A to-inet -p tcp --dport nntp -j ACCEPT
    iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
    iptables -A to-inet -p tcp --dport iax -j ACCEPT
    iptables -A to-inet -p udp --dport iax -j ACCEPT
#
#    Note ICMP packets I am sending out
# 
    iptables -A to-inet -p icmp --icmp-type destination-unreachable -j 
ACCEPT
    iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT
    iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT
    iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT
    iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT
    iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
#   Prevent any netbios stuff leaking out from here
#
    iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
    iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
    iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
    iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
#
#
#   Accept every thing else
#
    iptables -A to-inet -j ACCEPT
#
#   Now make the connection to the table
#
    iptables -A OUTPUT -o $INETIF -j to-inet
#
#   Common internet Stuff
#
    iptables -N from-inet
#
#   Stuff already established is allowed but jump to chain to count 
things
#
    iptables -A from-inet -m state --state ESTABLISHED,RELATED -j 
i-estab
#
#    Deal with ICMP packets
# 
    iptables -A from-inet -p icmp --icmp-type destination-unreachable -j 
ACCEPT
    iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
    iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
    iptables -A from-inet -p icmp --icmp-type parameter-problem -j 
ACCEPT
    iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT
#   Already accepted by related
    iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
#   ftp-data started by mine  (already accepted in related)   
#
    iptables -A from-inet -m state --state NEW -p tcp --dport 
ftp-data -j ACCEPT
#
#   Socks probes should be dropped so that IRC does not thing we are 
screwwing them
#
    iptables -A from-inet -p tcp --dport socks -j DROP
#
#   Drop these before logging them (just collecting them to see what 
they are)
#
    iptables -A from-inet -p tcp --dport 1635 -j DROP
    iptables -A from-inet -p tcp --dport 1370 -j DROP
#
#   seem to get these during boot - I don't think they matter
#
    iptables -A from-inet -p udp --dport 67:68 -j DROP
#
#   log and drop the rest (except 192.168 stuff which we silently loose)
#
    iptables -A from-inet -s 192.168.0.0/16 -j DROP
#   iptables -A from-inet -j LOG
    iptables -A from-inet -j DROP
#
#   Create a chain which protects gateway
#
    iptables -N inet-in
#
#   Allow DNS stuff
#
    iptables -A inet-in -p udp --dport domain -j ACCEPT
    iptables -A inet-in -p tcp --dport domain -j ACCEPT
#
#   Allow connections to my ssh port 
#
    iptables -A inet-in -m state --state NEW -p tcp --dport ssh -j 
ACCEPT
    iptables -A inet-in -p udp --dport ssh -j ACCEPT
#
#   Allow communication with the jabberd server (disabled for now as no 
server installed)
#
#    iptables -A inet-in -m state --state NEW -p tcp --dport 5269 -j 
ACCEPT 
#
#   Allow git connections
#
    iptables -A inet-in -m state --state NEW -p tcp --dport 9418 -j 
ACCEPT
    iptables -A inet-in -p udp --dport 9418 -j ACCEPT
    
#   Allow mail to get in to deliver on the SMTP port
#
    iptables -A inet-in -p tcp --dport smtp -j ACCEPT
#
#   Allow boot stuff so I can configure interface
#
    iptables -A inet-in -p udp --dport 67:68 -j ACCEPT

#
#   Allow stuff to the web site
#
    iptables -A inet-in -p tcp --dport www -j ACCEPT
    iptables -A inet-in -p tcp --dport https -j ACCEPT
#
#   Allow traffic in to Asterisk (iax,sip and a limited range of rtp)
#
    iptables -A inet-in -p udp --dport iax -j ACCEPT
    iptables -A inet-in -p udp --dport sip -j ACCEPT
    iptables -A inet-in -p udp --dport 14007:14096 -j ACCEPT

#
#   Explicitly drop 135 stuff
#
#    iptables -A inet-in -p tcp --dport 135 -j LOG
    iptables -A inet-in -p tcp --dport 135 -j DROP
#
#   Do Common Stuff
#
    iptables -A inet-in -j from-inet
#
#   Create table from forwarded stuff from Inet
#
    iptables -N inet-fwd
#
#   Following is for GPL and WinVROC and must be forwarded on
#
    iptables -A inet-fwd -p udp --dport 32766:32786 -j ACCEPT
    iptables -A inet-fwd -p udp --dport 6970:6971 -j ACCEPT
#   to see them seperately
    iptables -A inet-fwd -p udp --dport 6969 -j ACCEPT
    iptables -A inet-fwd -p tcp --dport auth -j ACCEPT
#
#   Allow bittorrent stuff
#
    iptables -A inet-fwd -p tcp --dport 6881:6899 -j ACCEPT
    iptables -A inet-fwd -p udp --dport 6881:6899 -j ACCEPT
#
#
#   allow Secure Remote stuff into my portable
#
#    iptables -A inet-fwd -p udp --dport 500 -j LOG
    iptables -A inet-fwd -p udp --dport 500 -j ACCEPT
#    iptables -A inet-fwd -p udp --dport 2746 -j LOG
    iptables -A inet-fwd -p udp --dport 2746 -j ACCEPT
#
#   Do common stuff
#
    iptables -A inet-fwd -j from-inet
#
#   Link new tables in
#
    iptables -A INPUT -i $INETIF -j inet-in

    iptables -A FORWARD -i $INETIF -j inet-fwd
#
#   Count some packets hitting the server from the LAN
#
    iptables -A INPUT -p tcp --dport iax -j ACCEPT
    iptables -A INPUT -p udp --dport iax -j ACCEPT


#
#   need to MASQUERADE outgoing stuff
#
#   normal internal network
#
    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o $INETIF -j 
MASQUERADE
#
#
#  Stuff comming in for GPL and WinVROC needs destination changing
#
    iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 
32766:32786 -j DNAT --to-destination $KANGER
    iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6970:6971 -j 
DNAT --to-destination $KANGER
#   seperate out to see if used
    iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6969 -j 
DNAT --to-destination $KANGER
    iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport auth -j 
DNAT --to-destination $KANGER
#
#   Allocate bittorrent channels
#
    iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6881:6889 -j 
DNAT --to-destination $KANGER
    iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6881:6889 -j 
DNAT --to-destination $KANGER
    iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6890:6899 -j 
DNAT --to-destination $POOH
    iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6890:6899 -j 
DNAT --to-destination $POOH
#
#   This should be the secure remote traffic for my portable
#
    iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 500 -j 
DNAT --to-destination $RABBIT
    iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 2746 -j 
DNAT --to-destination $RABBIT
#
#   Forward Napster Connections to that machine.
#
#    iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 
6690:6700 -j DNAT --to-destination $POOH
#    iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 4983 -j 
DNAT --to-destination $POOH
#
#   I want to mangle outgoing packets so that I can
#   take maximum benefit of different types of connection
#   in terms of priority
#
    iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport www -j 
TOS --set-tos Minimize-Delay
    iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp -j 
TOS --set-tos Minimize-Delay
    iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp-data -j 
TOS --set-tos Maximize-Throughput
    iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport smtp -j 
TOS --set-tos Maximize-Reliability
    iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport pop3 -j 
TOS --set-tos Maximize-Reliability
    iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport nntp -j 
TOS --set-tos Minimize-Cost
    iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport domain -j 
TOS --set-tos Maximize-Reliability
    iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport domain -j 
TOS --set-tos Maximize-Reliability
#
#   Following is for GPL and should be sent fast
#
    iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 
32766:32786 -j TOS --set-tos Minimize-Delay
    iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 6970:6971 -j 
TOS --set-tos Minimize-Delay
    iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 
32766:32786 -j TOS --set-tos Minimize-Delay
    iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 6970:6971 -j 
TOS --set-tos Minimize-Delay
#
#   VOIP traffic - mainly RTP but also IAX needs to go fast
#
    iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport iax -j 
TOS --set-tos Minimize-Delay
    iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 
14007:14096 -j TOS --set-tos Minimize-Delay
exit 0








-- 
Alan Chandler
http://www.chandlerfamily.org.uk



More information about the netfilter mailing list