Solved

IPTables Mangle Table Slows Down Connection when Uploading Large Files

Posted on 2016-08-08
6
23 Views
Last Modified: 2016-09-04
Greetings,

I am using Linux as a router, IPTables / Netfilter.

I have run into a problem with the MANGLE table rules slowing down the internet connection to a crawl when uploading files with various cloud based backup software. If I remove the Mangle table rules, the problem resolves. With the MANGLE rules in place and while uploading files, my ping times to google for example, are consistently above 500ms. If I remove the MANGLE rules, ping times are normal 14ms - 50ms.

The purpose of my mangle rules are to prioritize SIP and RTP traffic for VoIP, and then all else to the default queue.

Here are my mangle table rules:

-A PREROUTING -p udp -m udp --dport 10000:21099 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p udp -m udp --dport 10000:21099 -j RETURN
-A PREROUTING -p udp -m udp --dport 5060:5099 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p udp -m udp --dport 5060:5099 -j RETURN
-A PREROUTING -j MARK --set-xmark 0x2/0xffffffff
-A PREROUTING -j RETURN


Any ideas on how I can speed up the packets through the mangle table?
0
Comment
Question by:jkockler
  • 3
  • 2
6 Comments
 
LVL 34

Accepted Solution

by:
Duncan Roe earned 450 total points (awarded by participants)
ID: 41749575
I think the dport ranges are the trouble. I believe I recall reading that it checks for each port in the range individually. (To verify this, try removing only the first 2 rules (with the big port ranges)).
If I'm right, you should get a major improvement by converting to use nftables. nftables uses the same filter framework as iptables but with a much improved packet classification method (modelled after that used by tcpdump).
The syntax of nftables is all new. I've been meaning to learn it since it came out - your question has piqued my interest again.
0
 
LVL 4

Author Comment

by:jkockler
ID: 41749600
Thank you. That actually makes sense about the port ranges. I can definitely trim that down if it ends up being the fix. I will let you know how it goes.
0
 
LVL 34

Assisted Solution

by:Duncan Roe
Duncan Roe earned 450 total points (awarded by participants)
ID: 41753599
A couple of alternatives to converting to nftables
- Use the u32 target: this allows arithmetic comparisons as described in man iptables-extensions
- Use IP sets. See man ipset, also the set extension in man iptables-extensions
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 4

Author Comment

by:jkockler
ID: 41753758
Interesting! Thank you for that. I will look into that as well.

I can report that dialing back the amount of ports in the mangle table definitely improved the situation. It's certainly not perfect, but the network is at least usable when the uploads are taking place. Ping times have dropped from spiking to 1,000ms to google, to about 100-300ms spikes.
0
 
LVL 39

Assisted Solution

by:noci
noci earned 50 total points (awarded by participants)
ID: 41758552
Another improvement...
first mark all packets with mark 2.

Then select the ones for mark 1 and mark those. That saves on the returns....
(and checks on ports for those returns).
0
 
LVL 34

Expert Comment

by:Duncan Roe
ID: 41783517
The author has acknowledged that the problem is identified and explained. However he has not posted a progress update for some time. Assume he will get there.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now