<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: CIPE <cipe-l,AT,inka,DOT,de>
Subject: Re: Slow file sharing performance
From: James Knott <james.knott,AT,rogers,DOT,com>
Date: Tue, 09 Sep 2003 11:20:48 -0400
In-reply-to: <3F53D575.80904@ceag.ch>
References: <3F5334D7.1000709@rogers.com> <20030901214440.GA622@dreamcraft.com.au> <3F53CF7E.5010807@rogers.com> <3F53D575.80904@ceag.ch>

Carsten Emde wrote:
James Knott wrote:

Tomasz Ciolek wrote:

Can you post your IP tables rule-set [..]

[..] Here it is. [..]

Hmm, I would have expected to see the output of # iptables -L -v -n

Chain INPUT (policy ACCEPT 2836 packets, 623K bytes)
pkts bytes target prot opt in out source destination
55433 9837K INETIN all -- eth0 * 0.0.0.0/0 0.0.0.0/0


Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
89066 52M ACCEPT all -- * * 192.168.1.0/24 0.0.0.0/0
79806 18M ACCEPT all -- * * 0.0.0.0/0 192.168.1.0/24
0 0 ACCEPT all -- * * 192.168.2.20 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 192.168.2.20


Chain OUTPUT (policy ACCEPT 1113 packets, 310K bytes)
pkts bytes target prot opt in out source destination
62160 52M INETOUT all -- * eth0 0.0.0.0/0 0.0.0.0/0


Chain INETIN (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
4 1160 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp !type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 limit: avg 2/sec burst 5
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6112
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6119
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4000
55248 9811K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:6969
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:1024:65535 flags:!0x16/0x02
137 15265 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
44 10197 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable


Chain INETOUT (1 references)
pkts bytes target prot opt in out source destination
62160 52M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0


and
  # iptables -L -v -n -t nat

Chain PREROUTING (policy ACCEPT 4169 packets, 543K bytes)
pkts bytes target prot opt in out source destination


Chain POSTROUTING (policy ACCEPT 1625 packets, 216K bytes)
pkts bytes target prot opt in out source destination
1317 81005 MASQUERADE all -- * eth0 192.168.1.0/24 0.0.0.0/0
0 0 MASQUERADE all -- * eth0 192.168.2.20 0.0.0.0/0


Chain OUTPUT (policy ACCEPT 397 packets, 101K bytes)
pkts bytes target prot opt in out source destination


instead of a shell script that may or may not do what you expect. You may still edit the output and replace some of the IP addresses by XXXs to obscure them before posting it.

Bear in mind that the rules apply only to connections coming in from the internet. The firewall passes the VPN fine. Anything coming through the VPN should not be affected by the firewall rules. Also, further tests show that when connecting at higher speeds, such as dial up or directly into the firewall, this problem does not happen. This eliminates a firewall rule problem.



<< | Thread Index | >> ]    [ << | Date Index | >> ]