Significant slowdown with iptables rule

alkim · Post by **alkim** » Sun Oct 29, 2017 6:51 pm

Hi,

I'm running qbittorrent over vpn using a split tunnel. I have the following things set up:
1. I have openvpn set up to create tun0 device
2. I added table "200 vpn" to /etc/iproute2/rt_tables
3. I added rules to make sure all vpn traffic goes through this routing table:

Code: Select all

ip rule add from <vpn-ip-addr> table 200
ip route add default via <vpn-ip-addr> dev tun0 table 200
ip route flush cache

where <vpn-ip-addr> is the ip address bound to tun0
4. I configured qbittorrent to use the tun0 interface:

Code: Select all

Connection\Interface=tun0
Connection\InterfaceName=tun0

At this point, everything works, and I can see that at least a good chunk of traffic is going over tun0. However, when I try to ensure that all traffic goes through tun0, using iptables, my speed drops dramatically.

The rules I have are:

Code: Select all

iptables -F OUTPUT
iptables -A OUTPUT -m owner --uid-owner torrent -p udp --dport 53 -j ACCEPT   # Allow DNS traffic
iptables -A OUTPUT -m owner --uid-owner torrent -p tcp --sport 8080 -j ACCEPT  # Allow webui traffic
iptables -A OUTPUT -m owner --uid-owner torrent \! -o tun0 -j DROP

The problem is with the last rule:

Code: Select all

iptables -A OUTPUT -m owner --uid-ownerr torrent \! -o tun0 -j DROP

If I remove this rule, I get ~10MB/s download speed on a linux iso torrent. If I add this rule, I see this dropping down to 3MB/s - 6MB/s, so some traffic does go over tun0. I've checked the logs, and it seems there is quite a bit of traffic to eth0, but I'm not quite sure what it is for. Should I be allowing some other types of traffic as well? Or is iptables just slow for this kind of thing..

Here are some examples of the traffic which is dropped by the last rule:

Code: Select all

Oct 29 18:44:35 qbittorrent  IN= OUT=eth0 MAC= SRC=192.168.1.201 DST=<DST-IP-ADDR> LEN=60 TOS=00 PREC=0x00 TTL=64 ID=28532 DF PROTO=TCP SPT=47733 DPT=25858 SEQ=3199474617 ACK=0 WINDOW=29200 SYN URGP=0 UID=1000 GID=1000 MARK=0 
Oct 29 18:44:35 qbittorrent  IN= OUT=eth0 MAC= SRC=192.168.1.201 DST=<DST-IP-ADDR> LEN=60 TOS=00 PREC=0x00 TTL=64 ID=64838 DF PROTO=TCP SPT=51118 DPT=52371 SEQ=140872075 ACK=0 WINDOW=29200 SYN URGP=0 UID=1000 GID=1000 MARK=0 
Oct 29 18:44:35 qbittorrent  IN= OUT=eth0 MAC= SRC=192.168.1.201 DST=<DST-IP-ADDR> LEN=60 TOS=00 PREC=0x00 TTL=64 ID=6811 DF PROTO=TCP SPT=56843 DPT=61269 SEQ=3781258846 ACK=0 WINDOW=29200 SYN URGP=0 UID=1000 GID=1000 MARK=0 
Oct 29 18:44:35 qbittorrent  IN= OUT=eth0 MAC= SRC=192.168.1.201 DST=<DST-IP-ADDR> LEN=60 TOS=00 PREC=0x00 TTL=64 ID=56912 DF PROTO=TCP SPT=36928 DPT=9968 SEQ=2680269445 ACK=0 WINDOW=29200 SYN URGP=0 UID=1000 GID=1000 MARK=0

I'm using qbittorrent-nox v3.3.7 on debian.

Any help would be appreciated. Thanks!