I'm trying to track down a rate throttling problem. The issue is that some clients are run into a problem when using FTP or SCP to transfer files some servers behind two different opensuse firewalls. At first I thought it was on my end and dismissed it because I have a crazy firewall config at home but when a client reported the same issue to his own FTP/SSH server which is on an entirely different firewall it seemed to no longer be coincidental. It seems that when people on very fast internet connections start transferring data it gets cut off. It happens on both FTP and SCP. I have one firewall for my business related stuff on one IP subnet and another client has his on a different subnet. The firewalls are on a 100mb connection. These firewalls are virtualized with VMWare ESXI, with no rate limiting there. What I'm trying to do is rule out iptables. I don't do any rate limiting on that. Does anyone know of anything inside iptables on opensuse that might make this situation happen? I'm not ruling out the client, at they are all Windows Vista or Windows 7, nor am I ruling any possible firewall's that might be on the client side (I think they have a Linksys router). Rules were built with fwbuilder and it seems to load some modules that aren't needed that could be part of the problem. So, can you eyeball the rules/modules and toss me any possible ideas why this might be happening? # Generated by iptables-save v1.4.8 on Tue Jun 14 09:02:14 2011 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :RULE_9 - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 55.55.55.55/32 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -d 200.200.200.94/32 -p tcp -m tcp -m multiport --dports 110,995,443,80,25,465,143,993,2525,3389,587,987 -j ACCEPT -A INPUT -d 200.200.200.91/32 -p tcp -m tcp --dport 30031:30040 -j ACCEPT -A INPUT -d 200.200.200.91/32 -p tcp -m tcp -m multiport --dports 3389,10011 -j ACCEPT -A INPUT -d 200.200.200.91/32 -p udp -m udp --dport 9900:9999 -j ACCEPT -A INPUT -d 200.200.200.93/32 -p tcp -m tcp --sport 20 --dport 1024:65535 -j ACCEPT -A INPUT -d 200.200.200.93/32 -p tcp -m tcp -m multiport --dports 21,80,443 -j ACCEPT -A INPUT -d 200.200.200.93/32 -p tcp -m tcp --dport 3389 -j ACCEPT -A INPUT -j RULE_9 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -m icmp --icmp-type any -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -i eth1 -j ACCEPT -A FORWARD -o eth0 -j ACCEPT -A FORWARD -d 200.200.200.94/32 -p tcp -m tcp -m multiport --dports 110,995,443,80,25,465,143,993,2525,3389,587,987 -j ACCEPT -A FORWARD -d 10.20.0.2/32 -p tcp -m tcp -m multiport --dports 110,995,443,80,25,465,143,993,2525,3389,587,987 -j ACCEPT -A FORWARD -d 200.200.200.91/32 -p tcp -m tcp --dport 30031:30040 -j ACCEPT -A FORWARD -d 200.200.200.91/32 -p tcp -m tcp -m multiport --dports 3389,10011 -j ACCEPT -A FORWARD -d 200.200.200.91/32 -p udp -m udp --dport 9900:9999 -j ACCEPT -A FORWARD -d 10.20.0.13/32 -p tcp -m tcp --dport 30031:30040 -j ACCEPT -A FORWARD -d 10.20.0.13/32 -p tcp -m tcp -m multiport --dports 3389,10011 -j ACCEPT -A FORWARD -d 10.20.0.13/32 -p udp -m udp --dport 9900:9999 -j ACCEPT -A FORWARD -d 200.200.200.93/32 -p tcp -m tcp --sport 20 --dport 1024:65535 -j ACCEPT -A FORWARD -d 200.200.200.93/32 -p tcp -m tcp -m multiport --dports 21,80,443 -j ACCEPT -A FORWARD -d 10.20.0.12/32 -p tcp -m tcp --sport 20 --dport 1024:65535 -j ACCEPT -A FORWARD -d 10.20.0.12/32 -p tcp -m tcp -m multiport --dports 21,80,443 -j ACCEPT -A FORWARD -d 200.200.200.93/32 -p tcp -m tcp --dport 3389 -j ACCEPT -A FORWARD -d 10.20.0.11/32 -p tcp -m tcp --dport 3389 -j ACCEPT -A FORWARD -j RULE_9 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d 208.78.100.46/32 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -j RULE_9 -A RULE_9 -j LOG --log-prefix "RULE 9 -- REJECT " --log-level 6 -A RULE_9 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Tue Jun 14 09:02:14 2011 # Generated by iptables-save v1.4.8 on Tue Jun 14 09:02:14 2011 *nat :PREROUTING ACCEPT [2120259:136842953] :OUTPUT ACCEPT [253663:19171640] :POSTROUTING ACCEPT [560604:36881225] -A PREROUTING -d 200.200.200.94/32 -j DNAT --to-destination 10.20.0.2 -A PREROUTING -d 200.200.200.91/32 -p tcp -m tcp --dport 30031:30040 -j DNAT --to-destination 10.20.0.13 -A PREROUTING -d 200.200.200.91/32 -p tcp -m tcp -m multiport --dports 3389,10011 -j DNAT --to-destination 10.20.0.13 -A PREROUTING -d 200.200.200.91/32 -p udp -m udp --dport 9900:9999 -j DNAT --to-destination 10.20.0.13 -A PREROUTING -d 200.200.200.93/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.20.0.11 -A PREROUTING -d 200.200.200.93/32 -j DNAT --to-destination 10.20.0.12 -A OUTPUT -d 200.200.200.94/32 -j DNAT --to-destination 10.20.0.2 -A OUTPUT -d 200.200.200.91/32 -p tcp -m tcp --dport 30031:30040 -j DNAT --to-destination 10.20.0.13 -A OUTPUT -d 200.200.200.91/32 -p tcp -m tcp -m multiport --dports 3389,10011 -j DNAT --to-destination 10.20.0.13 -A OUTPUT -d 200.200.200.91/32 -p udp -m udp --dport 9900:9999 -j DNAT --to-destination 10.20.0.13 -A OUTPUT -d 200.200.200.93/32 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.20.0.11 -A OUTPUT -d 200.200.200.93/32 -j DNAT --to-destination 10.20.0.12 -A POSTROUTING -s 10.20.0.2/32 -o eth0 -j SNAT --to-source 200.200.200.94 -A POSTROUTING -s 10.20.0.13/32 -o eth0 -j SNAT --to-source 200.200.200.91 -A POSTROUTING -s 10.20.0.11/32 -o eth0 -j SNAT --to-source 200.200.200.93 -A POSTROUTING -s 10.20.0.12/32 -o eth0 -j SNAT --to-source 200.200.200.93 -A POSTROUTING -s 10.20.0.0/24 -o eth0 -j SNAT --to-source 200.200.200.90 COMMIT # Completed on Tue Jun 14 09:02:14 2011 Module Size Used by vmsync 3186 0 vmblock 11331 1 edd 8720 0 mperf 1255 0 ipt_REJECT 2152 1 ipt_LOG 5119 1 xt_tcpudp 2107 34 xt_state 1162 8 xt_multiport 2666 11 iptable_filter 1418 1 ebt_dnat 1074 0 ebtable_nat 1631 0 ebtables 17205 1 ebtable_nat ebt_snat 1138 0 act_nat 3528 0 iptable_nat 5021 1 ip_tables 12172 2 iptable_filter,iptable_nat nf_nat_h323 8343 0 nf_nat_proto_dccp 1127 0 nf_nat_ftp 1995 0 nf_nat_tftp 780 0 nf_nat_snmp_basic 8755 0 nf_nat_pptp 4326 0 nf_nat_proto_gre 2446 1 nf_nat_pptp nf_nat_proto_sctp 1098 0 crc32c 2615 1 libcrc32c 971 1 nf_nat_proto_sctp nf_nat_proto_udplite 1078 0 nf_nat_sip 6298 0 nf_nat_amanda 1006 0 nf_nat_irc 1540 0 nf_nat 21139 12 iptable_nat,nf_nat_h323,nf_nat_proto_dccp,nf_nat_ftp,nf_nat_tftp,nf_nat_pptp,nf_nat_proto_gre,nf_nat_proto_sctp,nf_nat_proto_udplite,nf_nat_sip,nf_nat_amanda,nf_nat_irc nf_conntrack_irc 4645 1 nf_nat_irc nf_conntrack_proto_dccp 7085 0 nf_conntrack_tftp 3888 1 nf_nat_tftp nf_conntrack_slp 1407 0 ts_kmp 1853 5 nf_conntrack_amanda 2345 1 nf_nat_amanda nf_conntrack_ftp 10826 1 nf_nat_ftp nf_conntrack_proto_sctp 10144 0 nf_conntrack_sip 21488 1 nf_nat_sip nf_conntrack_netbios_ns 1382 0 nf_conntrack_sane 4521 0 xt_conntrack 2400 0 x_tables 17098 12 ipt_REJECT,ipt_LOG,xt_tcpudp,xt_state,xt_multiport,iptable_filter,ebt_dnat,ebtables,ebt_snat,iptable_nat,ip_tables,xt_conntrack nf_conntrack_h323 61367 1 nf_nat_h323 nf_conntrack_proto_udplite 2906 0 nf_conntrack_netlink 17854 0 nfnetlink 3807 1 nf_conntrack_netlink nf_conntrack_pptp 10275 1 nf_nat_pptp nf_conntrack_proto_gre 6420 1 nf_conntrack_pptp nf_conntrack_ipv6 18225 0 nf_conntrack_ipv4 8691 11 iptable_nat,nf_nat nf_conntrack 75628 29 xt_state,iptable_nat,nf_nat_h323,nf_nat_ftp,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_pptp,nf_nat_sip,nf_nat_amanda,nf_nat_irc,nf_nat,nf_conntrack_irc,nf_conntrack_proto_dccp,nf_conntrack_tftp,nf_conntrack_slp,nf_conntrack_amanda,nf_conntrack_ftp,nf_conntrack_proto_sctp,nf_conntrack_sip,nf_conntrack_netbios_ns,nf_conntrack_sane,xt_conntrack,nf_conntrack_h323,nf_conntrack_proto_udplite,nf_conntrack_netlink,nf_conntrack_pptp,nf_conntrack_proto_gre,nf_conntrack_ipv6,nf_conntrack_ipv4 nf_defrag_ipv4 1201 1 nf_conntrack_ipv4 loop 14694 0 dm_mod 73457 0 ppdev 8444 0 parport_pc 33475 0 sg 27872 0 sr_mod 14671 0 parport 34052 2 ppdev,parport_pc floppy 57493 0 mptctl 25570 0 cdrom 38085 1 sr_mod shpchp 30104 0 intel_agp 27995 1 i2c_piix4 11574 0 pcspkr 1614 0 vmware_balloon 6667 0 e1000 107594 0 button 5449 0 container 2535 0 ac 3083 0 pci_hotplug 28749 1 shpchp ext4 365656 1 jbd2 83102 1 ext4 crc16 1403 1 ext4 fan 3539 0 processor 40761 0 ata_generic 2743 0 mptspi 13983 2 mptscsih 24578 1 mptspi mptbase 67254 3 mptctl,mptspi,mptscsih scsi_transport_spi 24136 1 mptspi thermal 17357 0 thermal_sys 14678 3 fan,processor,thermal -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
