# "Slow" iptables NAT router?

## AvantLegion

I've got a Gentoo box running 2.6.11-hardened-r15, acting as a NAT router using iptables. 

I have no problem with basic usage and Xbox Live gaming, but one thing I've noticed is that I can get connectivity problems with some XBLive users. What's more, I notice that when plugging my cable modem directly into the Xbox to try and work around the problem, the Xbox performs tasks (like logging into Xbox Live) with much less delay than I'm used to when using the router box. From what I observe, I think the connectivity problems with certain other people stem from additional latency experienced in my normal setup (the games in question are, I believe, denying the game based on perceived "poor" connection latency between me and the other player).

These conditions are with nobody else using the network, so it's not a case of someone hogging bandwidth on another machine on the network. 

My question isn't to ask for a fix (as the details here are obviously too light for that), but rather I'm just looking for suggestions and ideas as to what the source of the problem MIGHT be. Does sending traffic through the router box really add THAT much latency? Could there be something in my iptables rules (or perhaps something missing) that could lead to sub-optimal performance? I haven't really messed with QoS stuff yet, especially since the problem occurs when nothing else is tapping the network. Does the "hardened" kernel contain patches that might sacrifice network performance/latency in the name of security?

----------

## AvantLegion

Anyone? Bueller?

Can I at least get a hint as to if the "hardened" kernel might be (part of) the problem?

----------

## To

When that happends what's your processor and mem load?

How much RAM and swap you have?

Tó

----------

## josh

I came here looking for a solution to a problem I'm having. I have an iptables firewall in a production environment. Well, it isn't my server, I'm just an entry level programmer. But the server has become slow over the course of about 90 days. Its pretty tight. We only allow connections from a few hundred of our clients and drop the rest. The server is a Xeon 2.8G with 1G of Ram running the firewall. more specifically, its not slow routing traffic through it. But when you ssh in or try to do anything mildy cpu intensive, like 'ps' or 'w' it can take around 10 or 20 seconds. The load is not high and 'top' shows that the cpu is mostly idle (although top takes FOREVER to run). Nobody is worried about it because it is not slowing production in anyway. But I want to say taht it is a problem with the firewall script. Iptables is not properly flushed at the beginning of it. So everytime we add a new client, the script gets run again, without being flushed. Would this cause the system to slow up in this way?

----------

## opentaka

1. Could be your DNS problem? Sometimes under NAT, DNS resolve can be bit buggy, reversing your /etc/resolv.conf entry can be possible way of fixing it.

2. Faulty hardware? some crappy ethernet device REALLY make speeds slow (I had with my pcmcia eth) and also very (near 100%) CPU usage.

3. Faulty network cable? (well this sounds stupid but really, bended cables sometimes cause this problem)

aslo verifying that its not because of your client box by connecting another box etc also good idea.

cheers,

----------

## josh

Yeah, I've tried connecting from various boxes. I'm pretty sure it is not a problem with bad eth card or cable because any traffic traveling through that box seems fine. any mtr shows packets going through taking very little time. It only happens with the above mentioned situations. Just seems like any kernel activity has to wait in line. I figured that because iptables is built into the kernel that it gets its time with the processor first. But it just seems like its way too high.

----------

