I have a speed problem downloading from youtube.
I have a small lan at home, connected to the internet via a debian etch
based linux box which (amongst a whole range of other things) acts as a
route/nat gateway.
Downloading (using wget) from my desktop (another linux box - debian
sid) videos from youtube I get about 7Kbytes/sec
Downloading from the nat/gateway itself I get about 80kbytes/sec, more
than a 10 fold increase.
looking at detail at the network traffic, with downloading directly from
the gateway I get a smooth pattern of in-order traffic, like this ...
youtube->me http continuation seq 189688 next seq 191136
youtube->me http continuation seq 191136 next seq 192584
me->youtube tcp ack seq no 192584
youtube->me http continuation seq 192584 next seq 194032
...
looking at the traffic on the same interface when I initiate the request
from the desktop I get
youtube->me http cont seq 4344 next seq 5792
me->youtube tcp ack seq 5792
youtube->me http cont seq 7240 next seq 8688
me->youtube dup ack seq 5792
youtube->me http cont seq 10136 next seq 11584
me->youtube dup ack seq 5792
youtube->me http cont seq 5790 next seq 7240
me->youtube tcp ack seq 8688
youtube->me http cont seq 8688 next seq 10136
As you can see, in this case, it appears that some packets are being
lost and have to repeated via a dup ack.
I presume I can assume that youtube is actually sending the packets
since it is clear in the earlier case that it does so (and pretty
quickly too), so I think it might come down some reason that the
packets are getting dropped before wireshark sees them.
I have an IPTABLES firewall on the gateway, but I can't see why that
should effect things. Can someone tell me
a) Whether wireshark sees the packets before they are processed by
IPTABLES? (I want to see if there is a possibility that they reach the
machine but iptables drops them)
b) is there anythink I might be doing in my firewall script that could
cause only some packets to be dropped. Script follows
#!/bin/sh
#
#
INETIF=eth0
KANGER="192.168.0.21"
POOH="192.168.0.22"
RABBIT="192.168.0.25"
test -x /sbin/iptables || exit 0
#set -e
#
# Start up ensuring that the tables are all empty
# (ignoring any errors because there is nothing there yet)
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t mangle -F OUTPUT
iptables -F inet-in
iptables -X inet-in
iptables -F inet-fwd
iptables -X inet-fwd
iptables -F from-inet
iptables -X from-inet
iptables -F to-inet
iptables -X to-inet
iptables -F i-estab
iptables -X i-estab
#
# This is for established communications coming in from the internet
just
# so that I can get an idea what sort of packets they are.
#
iptables -N i-estab
iptables -A i-estab -p tcp --sport www -j ACCEPT
iptables -A i-estab -p tcp --sport imap -j ACCEPT
iptables -A i-estab -p tcp --sport nntp -j ACCEPT
iptables -A i-estab -p tcp --sport domain -j ACCEPT
iptables -A i-estab -p tcp --dport ssh -j ACCEPT
iptables -A i-estab -p tcp --sport ftp -j ACCEPT
iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT
iptables -A i-estab -p tcp --sport 9418 -j ACCEPT
# Accept everything not so far accepted
iptables -A i-estab -j ACCEPT
#
# Route packets going out from here onto a new table so that we can do
# things with them (logging etc)
#
iptables -N to-inet
#
# Just want to count a few things
#
iptables -A to-inet -p tcp --dport www -j ACCEPT
iptables -A to-inet -p tcp --dport imap -j ACCEPT
iptables -A to-inet -p udp --dport domain -j ACCEPT
iptables -A to-inet -p tcp --dport nntp -j ACCEPT
iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
iptables -A to-inet -p tcp --dport iax -j ACCEPT
iptables -A to-inet -p udp --dport iax -j ACCEPT
#
# Note ICMP packets I am sending out
#
iptables -A to-inet -p icmp --icmp-type destination-unreachable -j
ACCEPT
iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT
iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT
iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
# Prevent any netbios stuff leaking out from here
#
iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
#
#
# Accept every thing else
#
iptables -A to-inet -j ACCEPT
#
# Now make the connection to the table
#
iptables -A OUTPUT -o $INETIF -j to-inet
#
# Common internet Stuff
#
iptables -N from-inet
#
# Stuff already established is allowed but jump to chain to count
things
#
iptables -A from-inet -m state --state ESTABLISHED,RELATED -j
i-estab
#
# Deal with ICMP packets
#
iptables -A from-inet -p icmp --icmp-type destination-unreachable -j
ACCEPT
iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A from-inet -p icmp --icmp-type parameter-problem -j
ACCEPT
iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT
# Already accepted by related
iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
# ftp-data started by mine (already accepted in related)
#
iptables -A from-inet -m state --state NEW -p tcp --dport
ftp-data -j ACCEPT
#
# Socks probes should be dropped so that IRC does not thing we are
screwwing them
#
iptables -A from-inet -p tcp --dport socks -j DROP
#
# Drop these before logging them (just collecting them to see what
they are)
#
iptables -A from-inet -p tcp --dport 1635 -j DROP
iptables -A from-inet -p tcp --dport 1370 -j DROP
#
# seem to get these during boot - I don't think they matter
#
iptables -A from-inet -p udp --dport 67:68 -j DROP
#
# log and drop the rest (except 192.168 stuff which we silently loose)
#
iptables -A from-inet -s 192.168.0.0/16 -j DROP
# iptables -A from-inet -j LOG
iptables -A from-inet -j DROP
#
# Create a chain which protects gateway
#
iptables -N inet-in
#
# Allow DNS stuff
#
iptables -A inet-in -p udp --dport domain -j ACCEPT
iptables -A inet-in -p tcp --dport domain -j ACCEPT
#
# Allow connections to my ssh port
#
iptables -A inet-in -m state --state NEW -p tcp --dport ssh -j
ACCEPT
iptables -A inet-in -p udp --dport ssh -j ACCEPT
#
# Allow communication with the jabberd server (disabled for now as no
server installed)
#
# iptables -A inet-in -m state --state NEW -p tcp --dport 5269 -j
ACCEPT
#
# Allow git connections
#
iptables -A inet-in -m state --state NEW -p tcp --dport 9418 -j
ACCEPT
iptables -A inet-in -p udp --dport 9418 -j ACCEPT
# Allow mail to get in to deliver on the SMTP port
#
iptables -A inet-in -p tcp --dport smtp -j ACCEPT
#
# Allow boot stuff so I can configure interface
#
iptables -A inet-in -p udp --dport 67:68 -j ACCEPT
#
# Allow stuff to the web site
#
iptables -A inet-in -p tcp --dport www -j ACCEPT
iptables -A inet-in -p tcp --dport https -j ACCEPT
#
# Allow traffic in to Asterisk (iax,sip and a limited range of rtp)
#
iptables -A inet-in -p udp --dport iax -j ACCEPT
iptables -A inet-in -p udp --dport sip -j ACCEPT
iptables -A inet-in -p udp --dport 14007:14096 -j ACCEPT
#
# Explicitly drop 135 stuff
#
# iptables -A inet-in -p tcp --dport 135 -j LOG
iptables -A inet-in -p tcp --dport 135 -j DROP
#
# Do Common Stuff
#
iptables -A inet-in -j from-inet
#
# Create table from forwarded stuff from Inet
#
iptables -N inet-fwd
#
# Following is for GPL and WinVROC and must be forwarded on
#
iptables -A inet-fwd -p udp --dport 32766:32786 -j ACCEPT
iptables -A inet-fwd -p udp --dport 6970:6971 -j ACCEPT
# to see them seperately
iptables -A inet-fwd -p udp --dport 6969 -j ACCEPT
iptables -A inet-fwd -p tcp --dport auth -j ACCEPT
#
# Allow bittorrent stuff
#
iptables -A inet-fwd -p tcp --dport 6881:6899 -j ACCEPT
iptables -A inet-fwd -p udp --dport 6881:6899 -j ACCEPT
#
#
# allow Secure Remote stuff into my portable
#
# iptables -A inet-fwd -p udp --dport 500 -j LOG
iptables -A inet-fwd -p udp --dport 500 -j ACCEPT
# iptables -A inet-fwd -p udp --dport 2746 -j LOG
iptables -A inet-fwd -p udp --dport 2746 -j ACCEPT
#
# Do common stuff
#
iptables -A inet-fwd -j from-inet
#
# Link new tables in
#
iptables -A INPUT -i $INETIF -j inet-in
iptables -A FORWARD -i $INETIF -j inet-fwd
#
# Count some packets hitting the server from the LAN
#
iptables -A INPUT -p tcp --dport iax -j ACCEPT
iptables -A INPUT -p udp --dport iax -j ACCEPT
#
# need to MASQUERADE outgoing stuff
#
# normal internal network
#
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o $INETIF -j
MASQUERADE
#
#
# Stuff comming in for GPL and WinVROC needs destination changing
#
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport
32766:32786 -j DNAT --to-destination $KANGER
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6970:6971 -j
DNAT --to-destination $KANGER
# seperate out to see if used
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6969 -j
DNAT --to-destination $KANGER
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport auth -j
DNAT --to-destination $KANGER
#
# Allocate bittorrent channels
#
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6881:6889 -j
DNAT --to-destination $KANGER
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6881:6889 -j
DNAT --to-destination $KANGER
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6890:6899 -j
DNAT --to-destination $POOH
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6890:6899 -j
DNAT --to-destination $POOH
#
# This should be the secure remote traffic for my portable
#
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 500 -j
DNAT --to-destination $RABBIT
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 2746 -j
DNAT --to-destination $RABBIT
#
# Forward Napster Connections to that machine.
#
# iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport
6690:6700 -j DNAT --to-destination $POOH
# iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 4983 -j
DNAT --to-destination $POOH
#
# I want to mangle outgoing packets so that I can
# take maximum benefit of different types of connection
# in terms of priority
#
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport www -j
TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp -j
TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp-data -j
TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport smtp -j
TOS --set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport pop3 -j
TOS --set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport nntp -j
TOS --set-tos Minimize-Cost
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport domain -j
TOS --set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport domain -j
TOS --set-tos Maximize-Reliability
#
# Following is for GPL and should be sent fast
#
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport
32766:32786 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 6970:6971 -j
TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport
32766:32786 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 6970:6971 -j
TOS --set-tos Minimize-Delay
#
# VOIP traffic - mainly RTP but also IAX needs to go fast
#
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport iax -j
TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport
14007:14096 -j TOS --set-tos Minimize-Delay
exit 0
--
Alan Chandler
http://www.chandlerfamily.org.uk
