Hi, I have read about a couple of previous discussions on the issues of using iptables together with FTP and acheiving only really *slow* throughputs. All Q's that I've read concludes that the remedy is to either passthough auth (ident) packets or to reject it. I have a linux (2.4.18) running iptables. It is a router and FW, and is NAT'ing the internal address range (192.168.0.x) to the external range (1.2.3.x). ip_conntrack, ip_conntrack_ftp and ip_nat_ftp are all loaded in the router. It is a 266 PII with 128Mb memory. For any machine that are placed on the inside, there are two methods of getting to another machine on the inside: either using the direct internal address 192.168.0.x or by using the external address 1.2.3.x. The net result is the same, but the latter is routed through the router (and will always be accepted). Now, the problem is this: I open two FTP connections from the client machine 192.168.0.10 to a server, the first to 192.168.0.5 and the other connection to 1.2.3.5. Again, this is the same machine, only one of them is going via. the router while the other is not. The connection going via. the router is slow, very slow. The problem is that is does not matter if I DROP, REJECT or ACCEPT the auth (ident) port. It still is as extremely slow -- direct connection takes 20 mins, while the routed version takes 2-3 hours!!. My hypothesis could be that the ip_nat_ftp module is causing the considerable delay, since it must read all FTP data (I'm unsure about FTP-data though). Another theory could be that the routing memory of the iptables/kernel is too small. How can I increase it? Any one else got any ideas? (I've got a lot of angry customers on my back...) Thanks, Svein Seldal
