[问题求助]能否减小iptables作nat时的延迟？ [复制链接]

网吧10M光纤接入，用一台客户机直接接光猫上.网，用I.E开2个窗口下.载，速度有1.2m/s，估计已是最大速度，这时ping电信dns服务器，time值只有15以内外贸
。
用一..台客户机接一台交换机，再接光猫上网，最大速度下载，这时time值也是15ms以内。
但如果中间加一台li.nux作nat上网的话，下.载时的time值就变成100ms了。           建材
而在别的一家网吧，一样的测试环境，time值也就15m.s,还有一家网吧情况和我这一样，.不过那网吧用的是tp-link的路由器，别的条件一样。(        游戏          )
linux版本.是经过二次开发的sw2.0，网卡都是用的8139D的，差是差了点，不过跑那么点数据，应该不会有什么问题.吧。.
请问怎么样设置iptables.里的相.关参数， 减小延迟？.

iptables-save
看一下再说

减小延迟大多需要靠硬件来撑,不过linux的iptables的tos设置得当,可以让你需要的某些服务优先进出是真的...这样也变相地减小了(必要应用)的延迟

[root@smoothwall root]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ipac~o     all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
secin      all  --  anywhere             anywhere
block      all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level warning
REJECT     all  --  anywhere             anywhere           reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination
ipac~fi    all  --  anywhere             anywhere
ipac~fo    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
secout     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
portfwf    all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level warning
REJECT     all  --  anywhere             anywhere           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ipac~i     all  --  anywhere             anywhere

Chain advnet (3 references)
target     prot opt source               destination

Chain block (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
xtaccess   all  --  anywhere             anywhere
ipsec      all  --  anywhere             anywhere
ipsec      all  --  anywhere             anywhere
ipsec      all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             192.168.1.0/24

Chain dmzholes (0 references)
target     prot opt source               destination

Chain ipac~fi (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain ipac~fo (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain ipac~i (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain ipac~o (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere
           all  --  anywhere             anywhere

Chain ipblock (6 references)
target     prot opt source               destination

Chain ipsec (3 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere           udp dpt:isakmp
ACCEPT     gre  --  anywhere             anywhere
ACCEPT     ipv6-crypt--  anywhere             anywhere

Chain portfwf (1 references)
target     prot opt source               destination

Chain secin (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain secout (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain spoof (3 references)
target     prot opt source               destination
DROP       all  --  192.168.0.0/24       anywhere

Chain xtaccess (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:auth

[root@smoothwall root]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
jmpsquid   all  --  anywhere             anywhere
portfw     all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain jmpsquid (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             10.0.0.0/8
RETURN     all  --  anywhere             172.16.0.0/12
RETURN     all  --  anywhere             192.168.0.0/16
RETURN     all  --  anywhere             169.254.0.0/16
squid      all  --  anywhere             anywhere

Chain portfw (1 references)
target     prot opt source               destination

Chain squid (1 references)
target     prot opt source               destination
[root@smoothwall root]#

这个防火墙规则看着跟论文是的。。。。

QUOTE:原帖由 platinum 于 2006-2-21 00:22 发表
这个防火墙规则看着跟论文是的。。。。



有什么问题说啊,别掉我喟口了.

你没加 -v 参数，又没贴 iptables-save 的结果，我看起来都一样
比如这些


QUOTE:[root@smoothwall root]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ipac~o     all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
ipblock    all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
advnet     all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
spoof      all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

看着大量的这些东西，我只有两个感觉
1、太多了，像论文
2、都一样，像小学被老师罚抄课文 n 遍。。。

这样的规则不造成延迟才怪

用户被禁言,该主题自动屏蔽!