Re: Slow file sharing performance

[James Knott <james.knott,AT,rogers,DOT,com>]

Carsten Emde wrote:
> James Knott wrote:
>
> > Tomasz Ciolek wrote:
> >
> > > Can you post your IP tables rule-set [..]
> >
> > [..]
> > Here it is.
> > [..]
>
> Hmm, I would have expected to see the output of
>   # iptables -L -v -n

Chain INPUT (policy ACCEPT 2836 packets, 623K bytes)
 pkts bytes target     prot opt in     out     source 
destination
55433 9837K INETIN     all  --  eth0   *       0.0.0.0/0 
0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source 
destination
89066   52M ACCEPT     all  --  *      *       192.168.1.0/24 
0.0.0.0/0
79806   18M ACCEPT     all  --  *      *       0.0.0.0/0 
192.168.1.0/24
    0     0 ACCEPT     all  --  *      *       192.168.2.20 
0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0 
192.168.2.20

Chain OUTPUT (policy ACCEPT 1113 packets, 310K bytes)
 pkts bytes target     prot opt in     out     source 
destination
62160   52M INETOUT    all  --  *      eth0    0.0.0.0/0 
0.0.0.0/0

Chain INETIN (1 references)
 pkts bytes target     prot opt in     out     source 
destination
    0     0 ACCEPT     icmp --  eth0   *       0.0.0.0/0 
0.0.0.0/0          icmp type 8 limit: avg 1/sec burst 5
    4  1160 ACCEPT     icmp --  *      *       0.0.0.0/0 
0.0.0.0/0          icmp !type 8
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0          tcp dpt:22 flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0          tcp dpt:22 flags:0x16/0x02 limit: avg 2/sec burst 5
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:6112
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:6119
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:4000
55248 9811K ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0          udp dpt:6969
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0          tcp spt:22 dpts:1024:65535 flags:!0x16/0x02
  137 15265 ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0          state RELATED,ESTABLISHED
   44 10197 REJECT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0          reject-with icmp-port-unreachable

Chain INETOUT (1 references)
 pkts bytes target     prot opt in     out     source 
destination
62160   52M ACCEPT     all  --  *      *       0.0.0.0/0 
0.0.0.0/0

> and
>   # iptables -L -v -n -t nat

Chain PREROUTING (policy ACCEPT 4169 packets, 543K bytes)
 pkts bytes target     prot opt in     out     source 
destination

Chain POSTROUTING (policy ACCEPT 1625 packets, 216K bytes)
 pkts bytes target     prot opt in     out     source 
destination
 1317 81005 MASQUERADE  all  --  *      eth0    192.168.1.0/24 
0.0.0.0/0
    0     0 MASQUERADE  all  --  *      eth0    192.168.2.20 
0.0.0.0/0

Chain OUTPUT (policy ACCEPT 397 packets, 101K bytes)
 pkts bytes target     prot opt in     out     source 
destination

> instead of a shell script that may or may not do what you expect. You 
> may still edit the output and replace some of the IP addresses by XXXs 
> to obscure them before posting it.

Bear in mind that the rules apply only to connections coming in from the 
internet.  The firewall passes the VPN fine.  Anything coming through 
the VPN should not be affected by the firewall rules.  Also, further 
tests show that when connecting at higher speeds, such as dial up or 
directly into the firewall, this problem does not happen.  This 
eliminates a firewall rule problem.