Performance problems on my firewall using iptables (SuSEfirewall2)

Performance problems on my firewall using iptables (SuSEfirewall2)

[Marc Green]

Hi everybody.
I know my question might sound odd because of the version I'm using but 
this just because of the type of system I'm running on.

Short :
I'm running a router with a firewall (Firewall2) using SuSE 7.3
The system is a pentium 200 MHz with 94 Mb memory.

I put in attachemend result of different "iptables" commands that show 
the rules that are set up.

Basicaly these are the default rules.

My problem is as follow.
Before the firewall :
Download speed : 320 KB/sec
Upload speed   : 27,1 KB/sec

After the firewall
Download speed : 7,2 KB/sec
Upload speed   : 27,9 KB/sec

Ok for the upload, but such a difference for download I don't think this 
is normal do you?
My nsswitch.conf is "hosts    files dns"
I have eth0 configure to DHCP address from the ADSL ethernet modem
I have eth1 configured static 192.168.0.X
and eth1:1 configure static 192.168.1.X

Can anybody help me for this. In which direction do I have to search for.
I'm thinking about first deleting all the rules and keep only NAT.
BTW the result of "iptables -t nat|filter -L" can be sended on request.

Thank for your help.

Re: Performance problems on my firewall using iptables (SuSEfirewall2)

[/dev/rob0]

On Wednesday 2005-November-09 04:50, Marc Green wrote:
> NAT. BTW the result of "iptables -t nat|filter -L" can be sended on

iptables-save(8) would be much better. Without that you are asking for 
wild speculation.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Performance problems on my firewall using iptables (SuSEfirewall2)

[Marc Green]

[-- Attachment #1: Type: text/plain, Size: 669 bytes --]

Find herewith the result of the "iptables-save" command.

Some notes :
For Derick :
==> Yes I'm running a graphical interface. But nobody logs on this 
system except me sometimes to do administration.
==> In the first mail that is right there was no files attached with it.
I prefered not to sent them (after typing it but forgot to erase the 
text) no to overload the list with info that might not be necessary.
==> 2 internal networks on the same interface: on one of the networks I 
have the children computers. With crontab I just bring one network down 
at a specific time to shutdown Internet access for the kids but not for me.

Many thanks for your concern(s).

[-- Attachment #2: iptables.save --]
[-- Type: text/plain, Size: 16404 bytes --]

# Generated by iptables-save v1.2.2 on Wed Nov  9 19:58:37 2005
*mangle
:PREROUTING ACCEPT [1425307:679759088]
:OUTPUT ACCEPT [129618:24422877]
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 22 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j TOS --set-tos 0x10 
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08 
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10 
-A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10 
-A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04 
-A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04 
-A PREROUTING -p udp -m udp --dport 514 -j TOS --set-tos 0x04 
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 22 -j TOS --set-tos 0x10 
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j TOS --set-tos 0x10 
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08 
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08 
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08 
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08 
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10 
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10 
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04 
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04 
-A OUTPUT -p udp -m udp --dport 514 -j TOS --set-tos 0x04 
COMMIT
# Completed on Wed Nov  9 19:58:37 2005
# Generated by iptables-save v1.2.2 on Wed Nov  9 19:58:37 2005
*nat
:PREROUTING ACCEPT [48442:4189026]
:POSTROUTING ACCEPT [82:22002]
:OUTPUT ACCEPT [71:21498]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE 
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Wed Nov  9 19:58:37 2005
# Generated by iptables-save v1.2.2 on Wed Nov  9 19:58:37 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:devchain - [0:0]
:forward_dmz - [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_dmz - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:maschain - [0:0]
:rulchain - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -d 255.255.255.255 -p udp -m state --state ESTABLISHED -m udp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP 
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP 
-A INPUT -s 192.168.0.5 -j DROP 
-A INPUT -s 192.168.1.5 -j DROP 
-A INPUT -s 10.0.0.41 -j DROP 
-A INPUT -d 10.0.0.41 -i eth0 -j input_ext 
-A INPUT -d 192.168.0.5 -i eth1 -j input_int 
-A INPUT -d 192.168.1.5 -i eth1 -j input_int 
-A INPUT -d 10.0.0.255 -i eth0 -j DROP 
-A INPUT -d 255.255.255.255 -i eth0 -j DROP 
-A INPUT -d 192.168.0.255 -i eth1 -j DROP 
-A INPUT -d 255.255.255.255 -i eth1 -j DROP 
-A INPUT -d 192.168.1.255 -i eth1 -j DROP 
-A INPUT -d 255.255.255.255 -i eth1 -j DROP 
-A INPUT -d 10.0.0.41 -i eth1 -j LOG --log-prefix "SuSE-FW-ACCESS_DENIED_FOR_INT" --log-tcp-options --log-ip-options 
-A INPUT -d 10.0.0.41 -i eth1 -j DROP 
-A INPUT -j DROP 
-A INPUT -j devchain 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -i eth1 -o eth1 -j ACCEPT 
-A FORWARD -i eth0 -o eth0 -j ACCEPT 
-A FORWARD -i eth0 -j forward_ext 
-A FORWARD -i eth1 -j forward_int 
-A FORWARD -j DROP 
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j LOG --log-prefix "SuSE-FW-FORWARD-ERROR" --log-tcp-options --log-ip-options 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SuSE-FW-TRACEROUTE-ATTEMPT" --log-tcp-options --log-ip-options 
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/3 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/9 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/10 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3/13 -j ACCEPT 
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j DROP 
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -j LOG --log-prefix "SuSE-FW-OUTPUT-ERROR" --log-tcp-options --log-ip-options 
-A devchain -i ! lo -j rulchain 
-A forward_dmz -s 10.0.0.0/255.255.255.0 -j DROP 
-A forward_dmz -s 192.168.0.0/255.255.255.0 -j DROP 
-A forward_dmz -s 192.168.1.0/255.255.255.0 -j DROP 
-A forward_dmz -d 192.168.0.5 -j DROP 
-A forward_dmz -d 192.168.1.5 -j DROP 
-A forward_dmz -d 10.0.0.41 -j DROP 
-A forward_dmz -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT 
-A forward_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_dmz -s 192.168.0.0/255.255.255.0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -d 192.168.0.0/255.255.255.0 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -s 192.168.1.0/255.255.255.0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -d 192.168.1.0/255.255.255.0 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_dmz -j DROP 
-A forward_ext -s 192.168.0.0/255.255.255.0 -j DROP 
-A forward_ext -s 192.168.1.0/255.255.255.0 -j DROP 
-A forward_ext -s 192.168.0.0/255.255.255.0 -j DROP 
-A forward_ext -s 192.168.1.0/255.255.255.0 -j DROP 
-A forward_ext -d 192.168.0.5 -j DROP 
-A forward_ext -d 192.168.1.5 -j DROP 
-A forward_ext -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT 
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_ext -s 192.168.0.0/255.255.255.0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -d 192.168.0.0/255.255.255.0 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -s 192.168.1.0/255.255.255.0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -d 192.168.1.0/255.255.255.0 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_ext -j DROP 
-A forward_int -s 10.0.0.0/255.255.255.0 -j DROP 
-A forward_int -d 10.0.0.41 -j DROP 
-A forward_int -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT 
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A forward_int -s 192.168.0.0/255.255.255.0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -d 192.168.0.0/255.255.255.0 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -s 192.168.1.0/255.255.255.0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -d 192.168.1.0/255.255.255.0 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A forward_int -j DROP 
-A input_dmz -s 10.0.0.0/255.255.255.0 -j DROP 
-A input_dmz -s 192.168.0.0/255.255.255.0 -j DROP 
-A input_dmz -s 192.168.1.0/255.255.255.0 -j DROP 
-A input_dmz -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A input_dmz -p icmp -j DROP 
-A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with reject-with 
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m tcp --dport 23 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m tcp --dport 37 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m tcp --dport 79 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m tcp --dport 513 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_dmz -p tcp -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT" --log-tcp-options --log-ip-options 
-A input_dmz -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT 
-A input_dmz -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A input_dmz -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A input_dmz -s 10.0.0.138 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT 
-A input_dmz -p udp -m udp --dport 22 -j DROP 
-A input_dmz -p udp -m udp --dport 23 -j DROP 
-A input_dmz -p udp -m udp --dport 37 -j DROP 
-A input_dmz -p udp -m udp --dport 37 -j DROP 
-A input_dmz -p udp -m udp --dport 67 -j DROP 
-A input_dmz -p udp -m udp --dport 79 -j DROP 
-A input_dmz -p udp -m udp --dport 111 -j DROP 
-A input_dmz -p udp -m udp --dport 111 -j DROP 
-A input_dmz -p udp -m udp --dport 513 -j DROP 
-A input_dmz -p udp -m udp --dport 517 -j DROP 
-A input_dmz -p udp -m udp --dport 518 -j DROP 
-A input_dmz -p udp -m udp --dport 6000 -j DROP 
-A input_dmz -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT 
-A input_dmz -j DROP 
-A input_ext -s 192.168.0.0/255.255.255.0 -j DROP 
-A input_ext -s 192.168.1.0/255.255.255.0 -j DROP 
-A input_ext -s 192.168.0.0/255.255.255.0 -j DROP 
-A input_ext -s 192.168.1.0/255.255.255.0 -j DROP 
-A input_ext -s 10.0.0.0/255.255.255.0 -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SuSE-FW-ACCEPT-SOURCEQUENCH" --log-tcp-options --log-ip-options 
-A input_ext -s 10.0.0.0/255.255.255.0 -p icmp -m icmp --icmp-type 4 -j ACCEPT 
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A input_ext -p icmp -j DROP 
-A input_ext -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with reject-with 
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m tcp --dport 23 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m tcp --dport 37 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m tcp --dport 79 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m tcp --dport 513 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_ext -p tcp -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT" --log-tcp-options --log-ip-options 
-A input_ext -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT 
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A input_ext -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A input_ext -s 10.0.0.138 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT 
-A input_ext -p udp -m udp --dport 22 -j DROP 
-A input_ext -p udp -m udp --dport 23 -j DROP 
-A input_ext -p udp -m udp --dport 37 -j DROP 
-A input_ext -p udp -m udp --dport 37 -j DROP 
-A input_ext -p udp -m udp --dport 67 -j DROP 
-A input_ext -p udp -m udp --dport 79 -j DROP 
-A input_ext -p udp -m udp --dport 111 -j DROP 
-A input_ext -p udp -m udp --dport 111 -j DROP 
-A input_ext -p udp -m udp --dport 513 -j DROP 
-A input_ext -p udp -m udp --dport 517 -j DROP 
-A input_ext -p udp -m udp --dport 518 -j DROP 
-A input_ext -p udp -m udp --dport 6000 -j DROP 
-A input_ext -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT 
-A input_ext -p udp -m state --state ESTABLISHED -m udp --dport 61000:65095 -j ACCEPT 
-A input_ext -j DROP 
-A input_int -s 10.0.0.0/255.255.255.0 -j DROP 
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT 
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT 
-A input_int -p icmp -j DROP 
-A input_int -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with reject-with 
-A input_int -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_int -p tcp -m tcp --dport 23 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_int -p tcp -m tcp --dport 37 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_int -p tcp -m tcp --dport 79 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_int -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP 

-A input_int -p tcp -m tcp --dport 513 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_int -p tcp -m tcp --dport 6000 --tcp-flags SYN,RST,ACK SYN -j DROP 
-A input_int -p tcp -m tcp --dport 1024:65535 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SuSE-FW-ACCEPT" --log-tcp-options --log-ip-options 
-A input_int -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 1024:65535 -j ACCEPT 
-A input_int -p tcp -m state --state ESTABLISHED -m tcp --dport 600:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A input_int -p tcp -m state --state ESTABLISHED -m tcp --dport 20 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A input_int -s 10.0.0.138 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --sport 53 --dport 1024:65535 -j ACCEPT 
-A input_int -p udp -m udp --dport 22 -j DROP 
-A input_int -p udp -m udp --dport 23 -j DROP 
-A input_int -p udp -m udp --dport 37 -j DROP 
-A input_int -p udp -m udp --dport 37 -j DROP 
-A input_int -p udp -m udp --dport 67 -j DROP 
-A input_int -p udp -m udp --dport 79 -j DROP 
-A input_int -p udp -m udp --dport 111 -j DROP 
-A input_int -p udp -m udp --dport 111 -j DROP 
-A input_int -p udp -m udp --dport 513 -j DROP 
-A input_int -p udp -m udp --dport 517 -j DROP 
-A input_int -p udp -m udp --dport 518 -j DROP 
-A input_int -p udp -m udp --dport 6000 -j DROP 
-A input_int -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 1024:65535 -j ACCEPT 
-A input_int -j DROP 
-A rulchain -p udp -m udp --dport 111 -j DROP 
-A rulchain -p udp -m udp --dport 67 -j DROP 
-A rulchain -p udp -m udp --dport 37 -j DROP 
-A rulchain -p udp -m udp --dport 518 -j DROP 
-A rulchain -p udp -m udp --dport 517 -j DROP 
-A rulchain -s 10.0.0.138 -p udp -m udp --sport 53 -j ACCEPT 
-A rulchain -p icmp -m icmp --icmp-type 5 -j DROP 
-A rulchain -p udp -j DROP 
-A rulchain -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG 
-A rulchain -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with reject-with 
COMMIT
# Completed on Wed Nov  9 19:58:37 2005

RE: Performance problems on my firewall using iptables (SuSEfirewall2)

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Marc Green
> Sent: Wednesday, November 09, 2005 3:03 PM
> To: netfilter@lists.netfilter.org
> Subject: Performance problems on my firewall using iptables 
> (SuSEfirewall2)
> 
> Find herewith the result of the "iptables-save" command.
> 
> Some notes :
> For Derick :
> ==> Yes I'm running a graphical interface. But nobody logs on 
> this system except me sometimes to do administration.
> ==> In the first mail that is right there was no files 
> attached with it.
> I prefered not to sent them (after typing it but forgot to erase the
> text) no to overload the list with info that might not be necessary.
> ==> 2 internal networks on the same interface: on one of the 
> networks I have the children computers. With crontab I just 
> bring one network down at a specific time to shutdown 
> Internet access for the kids but not for me.
> 
> Many thanks for your concern(s).


Sorry for a very late reply. Your ruleset is not obscenely large,
however it does seem to be more complicated than necessary for a home
firewall. There are well over 200 rules here and from skimming them I
would have to say that some unnecessary, particularly with a default
DROP policy on INPUT and FORWARD. Generally it's only necessary to drop
subnets you don't like before accepting ports and bad TCP packets
(invalid state, NEW without --syn, and so on).

Having only used a Linux GUI under extreme duress, I don't know how much
the difference in memory usage is logged-in vs. logged off, however I
would conjecture that a GUI adds a considerable footprint to your memory
space. 94MB of RAM (96 - 2 for video?) is not very much, I run a much
simpler firewall with 128MB (Debian, no GUI, very spartan) and that is
cutting it close for me. Also, my firewall is 2.0Ghz, not 200Mhz. It may
simply be that your computer is too slow - I wouldn't run a firewall on
anything less than a PIII/equivalent with 128MB of RAM, no matter what
size.

You should also know (if you don't already) that iptables processes
rules linearly, so each one you add makes a difference.

Derick Anderson