iptables 网络转发性能差

tag-icon tag-icon performance firewall iptables gateway gentoo
iptables 网络转发性能差

这是我的防火墙脚本:

WAN_NIC="ppp0"
LAN_NIC="eth1"
DYN_ADDR="yes"

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT ! -i ${WAN_NIC} -j ACCEPT

# Allow selected services
iptables -A INPUT -i ${WAN_NIC} -p tcp --dport 3535 -j ACCEPT
iptables -A INPUT -i ${WAN_NIC} -p udp --dport 8123 -j ACCEPT

# Allow forwarding of selected services
for svc in `cat /etc/firewall/allowed_services`
do
    iptables -A FORWARD -i ${LAN_NIC} -p tcp --dport ${svc} -j ACCEPT
    iptables -A FORWARD -i ${LAN_NIC} -p udp --dport ${svc} -j ACCEPT
done

for in_svc in `cat /etc/firewall/allowed_input_services`
do
    iptables -A FORWARD -d 0/0 -p tcp --dport ${in_svc} -j ACCEPT
done

# Allow VPN Tunnel forwarding
iptables -A FORWARD -i ${VPN_TUN} -j ACCEPT

# Allow all services for whitelisted clients
for whl in `cat /etc/firewall/clients_whitelist`
do
    iptables -A FORWARD -s ${whl} -j ACCEPT
done

if [ "${DYN_ADDR}" == "yes" ]
then
    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ${WAN_NIC} -j MASQUERADE
    iptables -t nat -A POSTROUTING -s 10.7.1.0/24 -o ${WAN_NIC} -j MASQUERADE
else
    iptables -t nat -A POSTROUTING -i ${LAN_NIC} -o ${WAN_NIC} -j SNAT --to-source ${WAN_IP}
fi

iptables -t nat -A PREROUTING -i ${WAN_NIC} -p tcp --dport 4899 -j DNAT --to-destination 192.168.0.200
iptables -t nat -A PREROUTING -i ${WAN_NIC} -p tcp --dport 4900 -j DNAT --to-destination 192.168.0.199:4899
iptables -t nat -A PREROUTING -p tcp --dport 491 -j DNAT --to-destination 192.168.0.199

iptables -t nat -A PREROUTING -i ${LAN_NIC} -s 10.7.1.0/24 -p tcp --dport 80 -j DNAT --to-destination 10.7.1.1:3128
iptables -t nat -A PREROUTING -i ${LAN_NIC} -s 192.168.0.0/24 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.231:3128

问题是,当我从外部连接到转发端口之一(即 4899 (radmin))时,连接按预期工作。如果我尝试使用 http (80) 浏览网页,它也会按预期工作,因为我们使用的是透明代理。

但是,当我尝试使用 https (443) 浏览时,它会连接到服务器,但连接的吞吐量较低。

PS:允许转发端口 443 的数据包,因为它存在于文件“/etc/firewall/accepted_services”中

PS2:连接使用MASQUERADE(来自ppp0的动态ip)

提前致谢,Eduardo Melo

答案1

SSL 显然使用加密,因此根据运行支持 SSL 的 Web 服务器的机器的规格,可能会有明显的差异。

相关内容