* IP Tables slows network response times
@ 2005-08-14 9:33 Michael Hallager
2005-08-14 9:49 ` Eric Leblond
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Michael Hallager @ 2005-08-14 9:33 UTC (permalink / raw)
To: netfilter
Hello all.
I have spent rather a lot of time trying to find an answer for this one.
I have a Slackware Linux box, 2.4.29 kernel running IP Tables. I have the bare
number of needed modules compiled into the custom kernel.
I start IP Tables using the following batch file:
iptables -P INPUT DROP
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 25 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 53 -j ACCEPT
iptables -A INPUT -p udp --destination-port 53 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 110 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 443 -j ACCEPT
This works except it makes webpages and email served from this box SLOW to
respond. (Several seconds).
Any ideas please? Questions welcomed.
Michael Hallager
networkStuff ltd
www.networkstuff.co.nz | p.09.839.1000 | m.029.638.7883
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: IP Tables slows network response times
2005-08-14 9:33 IP Tables slows network response times Michael Hallager
@ 2005-08-14 9:49 ` Eric Leblond
2005-08-14 9:54 ` Michael Hallager
2005-08-15 5:42 ` Grant Taylor
2005-08-15 6:14 ` Jan Engelhardt
2 siblings, 1 reply; 7+ messages in thread
From: Eric Leblond @ 2005-08-14 9:49 UTC (permalink / raw)
To: michael; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 770 bytes --]
On Sun, 2005-08-14 at 21:33 +1200, Michael Hallager wrote:
> Hello all.
>
> I have spent rather a lot of time trying to find an answer for this one.
>
> I have a Slackware Linux box, 2.4.29 kernel running IP Tables. I have the bare
> number of needed modules compiled into the custom kernel.
> This works except it makes webpages and email served from this box SLOW to
> respond. (Several seconds).
>
several seconds ? looks like you've got a timeout problem on name
resolution (or another network access). Please ensure that DNS or name
resolution traffic is not blocked.
More over, add a rule to accept loopback traffic on INPUT, blocked
loopback traffic could explain problem you have.
Hope this help,
--
Eric Leblond <eric@inl.fr>
INL
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: IP Tables slows network response times
2005-08-14 9:49 ` Eric Leblond
@ 2005-08-14 9:54 ` Michael Hallager
0 siblings, 0 replies; 7+ messages in thread
From: Michael Hallager @ 2005-08-14 9:54 UTC (permalink / raw)
To: Eric Leblond, netfilter
Hi Eric.
Don't think so, I fixed the reverse DNS issue earlier:
root@202-150-101-225:/usr/local/Dialect/PaymentClient/config# nslookup
202.150.101.225
Server: 202.150.101.225
Address: 202.150.101.225#53
225.101.150.202.in-addr.arpa name = 202-150-101-225.networkstuff.net.nz.
root@202-150-101-225:/usr/local/Dialect/PaymentClient/config#
This machine runs its own DNS server.
> several seconds ? looks like you've got a timeout problem on name
> resolution (or another network access). Please ensure that DNS or name
> resolution traffic is not blocked.
> More over, add a rule to accept loopback traffic on INPUT, blocked
> loopback traffic could explain problem you have.
Could you please provide a sample of this rule?
--
Michael Hallager
networkStuff ltd
www.networkstuff.co.nz | p.09.839.1000 | m.029.638.7883
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: IP Tables slows network response times
2005-08-14 9:33 IP Tables slows network response times Michael Hallager
2005-08-14 9:49 ` Eric Leblond
@ 2005-08-15 5:42 ` Grant Taylor
2005-08-15 6:14 ` Jan Engelhardt
2 siblings, 0 replies; 7+ messages in thread
From: Grant Taylor @ 2005-08-15 5:42 UTC (permalink / raw)
To: netfilter
I've not run in to or heard of this problem my self before. But I suspect that there is a support protocol being used that we are aware of. How knows you may have a few things configured to use the Ident (Auth) protocol to find out the name of the user on the system that is requesting the web pages from. If this is indeed the case and you do not have a statefull packet inspection allowing returning outbound traffic back in you may be dropping some returning traffic that is sent out from a high port. In either case I would add the following rules to the end of your list to help diagnose this problem.
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -j LOG
The second rule is probably the most important as it will log the traffic that is getting dropped and thus you will have an idea what you need to modify your firewall to allow in.
Grant. . . .
Michael Hallager wrote:
> Hello all.
>
> I have spent rather a lot of time trying to find an answer for this one.
>
> I have a Slackware Linux box, 2.4.29 kernel running IP Tables. I have the bare
> number of needed modules compiled into the custom kernel.
>
> I start IP Tables using the following batch file:
>
> iptables -P INPUT DROP
> iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
> iptables -A INPUT -p tcp --destination-port 25 -j ACCEPT
> iptables -A INPUT -p tcp --destination-port 53 -j ACCEPT
> iptables -A INPUT -p udp --destination-port 53 -j ACCEPT
> iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
> iptables -A INPUT -p tcp --destination-port 110 -j ACCEPT
> iptables -A INPUT -p tcp --destination-port 443 -j ACCEPT
>
> This works except it makes webpages and email served from this box SLOW to
> respond. (Several seconds).
>
> Any ideas please? Questions welcomed.
>
> Michael Hallager
> networkStuff ltd
> www.networkstuff.co.nz | p.09.839.1000 | m.029.638.7883
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: IP Tables slows network response times
2005-08-14 9:33 IP Tables slows network response times Michael Hallager
2005-08-14 9:49 ` Eric Leblond
2005-08-15 5:42 ` Grant Taylor
@ 2005-08-15 6:14 ` Jan Engelhardt
2 siblings, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2005-08-15 6:14 UTC (permalink / raw)
To: Michael Hallager; +Cc: netfilter
>iptables -P INPUT DROP
>iptables -A INPUT -p tcp --destination-port 53 -j ACCEPT
>iptables -A INPUT -p udp --destination-port 53 -j ACCEPT
"Think before you rule."
If your NAMED makes a query to the outside world, its _DEFAULT configuration
will NOT use_ 53 as source port, so --destination-port 53 cannot match.
(Use -m state --state ESTABLISHED)
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: IP Tables slows network response times
@ 2005-08-14 17:39 Gary W. Smith
2005-08-14 18:00 ` Nikolai Geogriev
0 siblings, 1 reply; 7+ messages in thread
From: Gary W. Smith @ 2005-08-14 17:39 UTC (permalink / raw)
To: michael, Eric Leblond, netfilter
Something like the following (off the top of my head, so syntax may not
be exact)
iptables -I INPUT -o lo -j ACCEPT
iptables -I FORWARD -o lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
Basically, tell the server to allow anything originating from loopback
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Michael Hallager
> Sent: Sunday, August 14, 2005 2:55 AM
> To: Eric Leblond; netfilter@lists.netfilter.org
> Subject: Re: IP Tables slows network response times
>
> Hi Eric.
> > More over, add a rule to accept loopback traffic on INPUT, blocked
> > loopback traffic could explain problem you have.
>
> Could you please provide a sample of this rule?
> --
> Michael Hallager
> networkStuff ltd
> www.networkstuff.co.nz | p.09.839.1000 | m.029.638.7883
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: IP Tables slows network response times
2005-08-14 17:39 Gary W. Smith
@ 2005-08-14 18:00 ` Nikolai Geogriev
0 siblings, 0 replies; 7+ messages in thread
From: Nikolai Geogriev @ 2005-08-14 18:00 UTC (permalink / raw)
To: Gary W. Smith; +Cc: netfilter, Eric Leblond
I think correct should be:
itpables -I INPUT -i lo -j ACCEPT (guess you misspeled it in the hurry)
forward rule for loopback is not necesary, as long as i remember
iptables -I OUTPUT -o lo -j ACCEPT;
On 8/14/05, Gary W. Smith <gary@primeexalia.com> wrote:
> Something like the following (off the top of my head, so syntax may not
> be exact)
>
> iptables -I INPUT -o lo -j ACCEPT
> iptables -I FORWARD -o lo -j ACCEPT
> iptables -I OUTPUT -o lo -j ACCEPT
>
> Basically, tell the server to allow anything originating from loopback
>
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> > bounces@lists.netfilter.org] On Behalf Of Michael Hallager
> > Sent: Sunday, August 14, 2005 2:55 AM
> > To: Eric Leblond; netfilter@lists.netfilter.org
> > Subject: Re: IP Tables slows network response times
> >
> > Hi Eric.
> > > More over, add a rule to accept loopback traffic on INPUT, blocked
> > > loopback traffic could explain problem you have.
> >
> > Could you please provide a sample of this rule?
> > --
> > Michael Hallager
> > networkStuff ltd
> > www.networkstuff.co.nz | p.09.839.1000 | m.029.638.7883
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-08-15 6:14 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-14 9:33 IP Tables slows network response times Michael Hallager
2005-08-14 9:49 ` Eric Leblond
2005-08-14 9:54 ` Michael Hallager
2005-08-15 5:42 ` Grant Taylor
2005-08-15 6:14 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-08-14 17:39 Gary W. Smith
2005-08-14 18:00 ` Nikolai Geogriev
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.