iptables questionForum: Networking Topic: iptables question started by: garcelj Posted by garcelj on Sep. 29 2005,13:00
Hello everyone,I have recently re-purposed an old Compaq Celeron 500Mhz machine as a Linux router to leverage the use of a Comcast cable modem in a school that has a T-1 line. The box has two network cards detected by DSL as eth0 and eth1. I am using iptables to setup NATting and IP-based policy routing. I have created a script to setup iptables and NAT and it has been setup as follows: #!/bin/sh # Define Internal and External interfaces INTIF="eth0" EXTIF="eth1" # Find the IP Address of the External interface EXTIP="`/sbin/ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # Turn on IP Forwarding to allow this box to route packets sudo echo "1" > /proc/sys/net/ipv4/ip_forward sudo echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Clearing any existing rules and setting default policy sudo iptables -P INPUT ACCEPT sudo iptables -F INPUT sudo iptables -P OUTPUT ACCEPT sudo iptables -F OUTPUT sudo iptables -P FORWARD DROP sudo iptables -F FORWARD sudo iptables -t nat -F # Allow IP traffic to go out External interface from the Internal sudo iptables -A FORWARD -o $EXTIF -i ! $EXTIF -j ACCEPT # Allow related traffic from Exteral to Internal that was # initiated by the Internal interface sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -A FORWARD -f -j ACCEPT # Enable SNAT (MASQUERADE) functionality on External interface sudo iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # Define the tables for each gateway on each interface sudo ip route add default via 10.x.x.1 dev eth0 table 1 sudo ip route add default via 68.x.x.1 dev eth1 table 2 # Add rules that route packets based on source or destination sudo ip rule add to 204.39.x.x/16 table 2 priority 500 sudo ip rule add to 199.199.x.x/16 table 2 priority 510 sudo ip rule add from 10.69.x.x/24 table 1 priority 600 ------------------------------------------------------- This allows traffic to go out and it seems to work. However on some sites, response on the client side is very slow. I have made sure that client are assigned the address of the Linux box as the gateway. I have tried to traceroute a site from the client only to get as far as the Linux box and them time out. I have also tried to do some speed tests from sites like dslreports.com and the download test go okay but the upload test either completes after a while or does not complete at all (this is often). The client machines are a mix of Windows 98 and Windows XP. Does anyone have an idea of what I may have done wrong in the setup? Thanks in advance! |