| Kyle R. Burton on 31 Jan 2011 09:02:17 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] iptables question |
I've noticed similar behavior, if I add a '-n' to 'iptables -L -n' I get the 'instant' behavior again. I think it has to do with iptables attempting to do reverse lookups against the ip addresses, or something similar with translating numeric values into the human readable equivalents. HTH, Kyle On Mon, Jan 31, 2011 at 11:57 AM, Mike Sheinberg <m.sheiny@gmail.com> wrote: > Hey potential iptables wranglers, > *** DISCLAIMER IPTABLES NEWBIE **** > I'm trying to setup a new firewall config on a web server and was curious > about something I noticed. Specifically, after I changed the INPUT chain > policy to default DROP it seems that whenever I do an 'iptables -L' it takes > a good 30 seconds to dump to output. Previously this only took about 1 > second. Is there something funky in my config that may cause something like > this? > Here's my current dump of /etc/sysconfig/iptables: > > # Generated by iptables-save v1.3.5 on Mon Jan 31 10:36:35 2011 > *filter > :INPUT DROP [33:5345] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [129:15384] > :fail2ban-ApacheAuth - [0:0] > :fail2ban-ApachePHPbot - [0:0] > :fail2ban-BadBots - [0:0] > :fail2ban-SSH - [0:0] > -A INPUT -s XXXXXXXXXXXXX -j ACCEPT > -A INPUT -s XXXXXXXXXXX/255.255.255.224 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -j fail2ban-ApacheAuth > -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots > -A INPUT -p tcp -m tcp --dport 80 -j fail2ban-ApachePHPbot > -A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH > -A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT > -A INPUT -i lo -j ACCEPT > -A OUTPUT -d XXXXXXXX/255.255.255.224 -j ACCEPT > -A fail2ban-ApacheAuth -j RETURN > -A fail2ban-ApachePHPbot -j RETURN > -A fail2ban-BadBots -j RETURN > -A fail2ban-SSH -s XXXXXXXXXX -j DROP > -A fail2ban-SSH -j RETURN > COMMIT > # Completed on Mon Jan 31 10:36:35 2011 > > A couple of things to point out, I'm using fail2ban so I have some extra > chains in there that it added. The top two INPUT rules are IPs of the > servers that need access to everything (that's why they are first). I didn't > build this config by hand but instead added rules manually in CLI and then > did 'service iptables save'. Oh yeah... I'm on CentOS 5.5 if it's relevant > to anyone. The blanked out XXXXs are IP addresses (not hostname). > I saw similar issues of this in Google but wasn't able to peg down an > answer. > Thanks! > Mike > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug > > -- Twitter: @kyleburton Blog: http://asymmetrical-view.com/ Fun: http://snapclean.me/ ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug