Poor iptables network forwarding performance

Question

This is my firewall script:

WAN_NIC="ppp0"
LAN_NIC="eth1"
DYN_ADDR="yes"

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT ! -i ${WAN_NIC} -j ACCEPT

# Allow selected services
iptables -A INPUT -i ${WAN_NIC} -p tcp --dport 3535 -j ACCEPT
iptables -A INPUT -i ${WAN_NIC} -p udp --dport 8123 -j ACCEPT

# Allow forwarding of selected services
for svc in `cat /etc/firewall/allowed_services`
do
    iptables -A FORWARD -i ${LAN_NIC} -p tcp --dport ${svc} -j ACCEPT
    iptables -A FORWARD -i ${LAN_NIC} -p udp --dport ${svc} -j ACCEPT
done

for in_svc in `cat /etc/firewall/allowed_input_services`
do
    iptables -A FORWARD -d 0/0 -p tcp --dport ${in_svc} -j ACCEPT
done

# Allow VPN Tunnel forwarding
iptables -A FORWARD -i ${VPN_TUN} -j ACCEPT

# Allow all services for whitelisted clients
for whl in `cat /etc/firewall/clients_whitelist`
do
    iptables -A FORWARD -s ${whl} -j ACCEPT
done

if [ "${DYN_ADDR}" == "yes" ]
then
    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ${WAN_NIC} -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.7.1.0/24 -o ${WAN_NIC} -j MASQUERADE
else
    iptables -t nat -A POSTROUTING -i ${LAN_NIC} -o ${WAN_NIC} -j SNAT --to-source ${WAN_IP}
fi

iptables -t nat -A PREROUTING -i ${WAN_NIC} -p tcp --dport 4899 -j DNAT --to-destination 192.168.0.200
iptables -t nat -A PREROUTING -i ${WAN_NIC} -p tcp --dport 4900 -j DNAT --to-destination 192.168.0.199:4899
iptables -t nat -A PREROUTING -p tcp --dport 491 -j DNAT --to-destination 192.168.0.199

iptables -t nat -A PREROUTING -i ${LAN_NIC} -s 10.7.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 10.7.1.1:3128
iptables -t nat -A PREROUTING -i ${LAN_NIC} -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.231:3128

The thing is, when I connect from outside in one of the forwarded ports, i.e., 4899 (radmin), the connection works as expected. If I try to browse the web using http (80), it also works as expected, since we are using a transparent proxy.

However, when I try to browse using https (443), it connects to the server, but the connection works with low throughtput.

PS: the forwarding of packets with port 443 is allowed, since it is present in the file "/etc/firewall/accepted_services"

PS2: The connection uses MASQUERADE (dynamic ip from ppp0)

Thanks in advance, Eduardo Melo

eduardo, if you connect on either port 80 or 443 without the proxy and using an ip address instead of a domain name, is it still slow? if not, then the issue may be with name resolution for outbound connections. — Peter Carrero, Feb 06 '11 at 07:22

score 1 · Accepted Answer · answered Dec 17 '10 at 23:33

1

SSL obviously uses encryption, so depending on the spec of the machine that's running the SSL-enabled webserver, there could be a noticeable difference.

answered Dec 17 '10 at 23:33

Andy Smith

1,828
14
15

The poor performance is noticed in any HTTPS server. Even in Gmail. I don't think the low throughtput is caused by encryption processing. If I disable the proxy and allow direct HTTP connection, the poor performance is noticed also. – Carlos Melo Dec 18 '10 at 00:12
Apologies - from the question it looked as though you meant inbound SSL connections to a webserver running locally, which is what my answer was geared towards. Are you able to test outbound SSL from a different machine behind the same firewall? – Andy Smith Dec 18 '10 at 12:01
Yes. The problem must be the firewall. One curious thing is that any other services (inbound and outbound) run fine. Only direct HTTP and HTTPS connections are slowed down. It works, but takes forever to get the webpage. Now HTTP are working, but only because I'm using a proxy server installed in the firewall machine. – Carlos Melo Dec 18 '10 at 12:10
Curious. Are you able to proxy SSL traffic too, and see if that helps? One thing that does come to mind - do you have IPv6 enabled on the machine behind the firewall? It may be that your machine is trying to carry out IPv6 lookups, then falling back to IPv4... this will introduce a delay, which can give the sluggish browsing you're describing. – Andy Smith Dec 18 '10 at 12:14
Right now I can't test it. As soon as I get into my job I'll test your idea and tell if it works. :) – Carlos Melo Dec 19 '10 at 04:46

Poor iptables network forwarding performance

1 Answers1