[CentOS] Centos 7 as gateway - UDP performance is busted/awful?

Fri Aug 15 13:19:29 UTC 2014
David Both <dboth at millennium-technology.com>

Nope. The kernel is not busted.

You just need to add a few rules to your firewall in order to tell it to forward 
the packets appropriately. While you do need "net.ipv4.ip_forward = 1" line in 
/etc/sysctl.conf, and you also need to set /proc/sys/net/ipv4/ip_forward to 1 if 
you have not rebooted after setting the line in sysctl.conf, firewall rules are 
required to make it work.

Unfortunately the specific firewall rules you require will depend upon the 
release level of the distribution you use. IPTables has changed a bit over the 
years and so the specific rules and their syntax has changed as well. Here is 
what I use now with CentOS 6.5+ on my own network.


# Generated by iptables-save v1.4.7 on Fri Aug 15 09:11:28 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [825:47118]
:fail2ban-SSH - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A fail2ban-SSH -j RETURN
COMMIT
# Completed on Fri Aug 15 09:11:28 2014
# Generated by iptables-save v1.4.7 on Fri Aug 15 09:11:28 2014
*nat
:PREROUTING ACCEPT [80965:6238336]
:POSTROUTING ACCEPT [37811:2251658]
:OUTPUT ACCEPT [838:63592]
-A PREROUTING -d 24.199.159.56/29 -p tcp -m tcp --dport 80 -j DNAT 
--to-destination 192.168.0.53:80
-A PREROUTING -d 24.199.159.56/29 -p tcp -m tcp --dport 25 -j DNAT 
--to-destination 192.168.0.53:25
-A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
COMMIT
# Completed on Fri Aug 15 09:11:28 2014

The FORWARD rules in the filter table allow forwarding from your internal 
networks on eth0 and eth1 to the outside world. The Destination NATing 
PREROUTING rules allow incoming packets for SMTP and HTTP to be routed to the 
appropriate server on my inside network.

I hope this helps.



On 08/15/2014 07:50 AM, Tom Horsley wrote:
> I think I have my answer: The kernel is busted (or something
> isn't loaded that I need, but don't know about :-).
>
> I copied my Fedora 20 desktop 3.15.8-200.fc20.x86_64 kernel
> and /lib/module files to the centos7 KVM host, rebuilt
> grub.cfg, and rebooted into the 3.15.8-200 kernel, and
> with no other changes the UDP packet forwarding is now working
> perfectly.
>
> I guess it is time to make yet another bugzilla account
> and submit a bug...
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

-- 

*********************************************************
"I'd put my money on the sun and solar energy. What a source of power! I hope we 
don't have to wait until oil and coal run out before we tackle that."
  - Thomas Edison, in conversation with Henry Ford and Harvey Firestone, 1931
*********************************************************
David P. Both
*********************************************************
This communication may be unlawfully collected and stored by the National 
Security Agency (NSA) in secret. The parties to this email do not consent to the 
retrieving or storing of this communication and any related metadata, as well as 
printing, copying, re-transmitting, disseminating, or otherwise using it. If you 
believe you have received this communication in error, please delete it immediately.


-- 


*********************************************************
David P. Both, RHCE
Millennium Technology Consulting LLC
919-389-8678

dboth at millennium-technology.com

www.millennium-technology.com
www.databook.bz - Home of the DataBook for Linux
DataBook is a Registered Trademark of David Both
*********************************************************
This communication may be unlawfully collected and stored by the National 
Security Agency (NSA) in secret. The parties to this email do not consent to the 
retrieving or storing of this communication and any related metadata, as well as 
printing, copying, re-transmitting, disseminating, or otherwise using it. If you 
believe you have received this communication in error, please delete it immediately.