Performance-Problems with DNAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

i have iptables running on my system. If i turn on one or more
DNAT-rules i run into performance problems. 

Pings without DNAT:
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=1 ttl=242
time=29.3 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=2 ttl=242
time=25.0 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=3 ttl=242
time=29.2 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=4 ttl=242
time=31.4 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=5 ttl=242
time=25.0 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=6 ttl=242
time=25.5 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=7 ttl=242
time=27.2 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=8 ttl=242
time=25.6 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=9 ttl=242
time=33.4 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=10 ttl=242
time=27.5 ms

Pings with activated DNAT-rule:
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=1 ttl=242
time=789 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=2 ttl=242
time=711 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=3 ttl=242
time=743 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=4 ttl=242
time=850 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=5 ttl=242
time=916 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=6 ttl=242
time=807 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=7 ttl=242
time=769 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=8 ttl=242
time=786 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=9 ttl=242
time=655 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=10 ttl=242
time=795 ms
64 bytes from www.t-online.de (194.25.134.146): icmp_seq=11 ttl=242
time=767 ms

The rule i use:
$IPT -t nat -A PREROUTING -i $EXT -p tcp --dport 80 -j DNAT
--to-destination 192.168.154.24
$IPT -A FORWARD -i $EXT -o $DMZ -p tcp -d 192.168.154.24 --dport 80 -m
state --state NEW -j ACCEPT



Do you have any ideas?

Udo
-- 
------------------------------------------------------------
brauch-hilfe
Dipl. Ing. (FH) Udo Brauch
Haslacher Straße 37
89081 Ulm

Tel.:   +49 (0)731 60280-169
Fax.:   +49 (0)731 60280-229
E-Mail: udo.brauch@xxxxxxxxxxxxxxx
Web:    www.brauch-hilfe.de
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux