Significant slowdown with iptables rule
Posted: Sun Oct 29, 2017 6:51 pm
Hi,
I'm running qbittorrent over vpn using a split tunnel. I have the following things set up:
1. I have openvpn set up to create tun0 device
2. I added table "200 vpn" to /etc/iproute2/rt_tables
3. I added rules to make sure all vpn traffic goes through this routing table:
where <vpn-ip-addr> is the ip address bound to tun0
4. I configured qbittorrent to use the tun0 interface:
At this point, everything works, and I can see that at least a good chunk of traffic is going over tun0. However, when I try to ensure that all traffic goes through tun0, using iptables, my speed drops dramatically.
The rules I have are:
The problem is with the last rule:
If I remove this rule, I get ~10MB/s download speed on a linux iso torrent. If I add this rule, I see this dropping down to 3MB/s - 6MB/s, so some traffic does go over tun0. I've checked the logs, and it seems there is quite a bit of traffic to eth0, but I'm not quite sure what it is for. Should I be allowing some other types of traffic as well? Or is iptables just slow for this kind of thing..
Here are some examples of the traffic which is dropped by the last rule:
I'm using qbittorrent-nox v3.3.7 on debian.
Any help would be appreciated. Thanks!
I'm running qbittorrent over vpn using a split tunnel. I have the following things set up:
1. I have openvpn set up to create tun0 device
2. I added table "200 vpn" to /etc/iproute2/rt_tables
3. I added rules to make sure all vpn traffic goes through this routing table:
Code: Select all
ip rule add from <vpn-ip-addr> table 200
ip route add default via <vpn-ip-addr> dev tun0 table 200
ip route flush cache4. I configured qbittorrent to use the tun0 interface:
Code: Select all
Connection\Interface=tun0
Connection\InterfaceName=tun0The rules I have are:
Code: Select all
iptables -F OUTPUT
iptables -A OUTPUT -m owner --uid-owner torrent -p udp --dport 53 -j ACCEPT # Allow DNS traffic
iptables -A OUTPUT -m owner --uid-owner torrent -p tcp --sport 8080 -j ACCEPT # Allow webui traffic
iptables -A OUTPUT -m owner --uid-owner torrent \! -o tun0 -j DROPCode: Select all
iptables -A OUTPUT -m owner --uid-ownerr torrent \! -o tun0 -j DROPHere are some examples of the traffic which is dropped by the last rule:
Code: Select all
Oct 29 18:44:35 qbittorrent IN= OUT=eth0 MAC= SRC=192.168.1.201 DST=<DST-IP-ADDR> LEN=60 TOS=00 PREC=0x00 TTL=64 ID=28532 DF PROTO=TCP SPT=47733 DPT=25858 SEQ=3199474617 ACK=0 WINDOW=29200 SYN URGP=0 UID=1000 GID=1000 MARK=0
Oct 29 18:44:35 qbittorrent IN= OUT=eth0 MAC= SRC=192.168.1.201 DST=<DST-IP-ADDR> LEN=60 TOS=00 PREC=0x00 TTL=64 ID=64838 DF PROTO=TCP SPT=51118 DPT=52371 SEQ=140872075 ACK=0 WINDOW=29200 SYN URGP=0 UID=1000 GID=1000 MARK=0
Oct 29 18:44:35 qbittorrent IN= OUT=eth0 MAC= SRC=192.168.1.201 DST=<DST-IP-ADDR> LEN=60 TOS=00 PREC=0x00 TTL=64 ID=6811 DF PROTO=TCP SPT=56843 DPT=61269 SEQ=3781258846 ACK=0 WINDOW=29200 SYN URGP=0 UID=1000 GID=1000 MARK=0
Oct 29 18:44:35 qbittorrent IN= OUT=eth0 MAC= SRC=192.168.1.201 DST=<DST-IP-ADDR> LEN=60 TOS=00 PREC=0x00 TTL=64 ID=56912 DF PROTO=TCP SPT=36928 DPT=9968 SEQ=2680269445 ACK=0 WINDOW=29200 SYN URGP=0 UID=1000 GID=1000 MARK=0 Any help would be appreciated. Thanks!