David Coulson on 31 Jan 2011 09:03:24 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables question

Mike-

It runs slowly because you are dropping DNS responses. One of the first rules in INPUT should be 'if this is an established or related connection, let it back in'

iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

That will solve your issue, or you can do 'iptables -Ln' which disables DNS lookups. Most likely you want to add the state rule, since pretty much any outbound connection won't work.

David

On 1/31/2011 11:57 AM, Mike Sheinberg wrote:
Hey potential iptables wranglers,

*** DISCLAIMER IPTABLES NEWBIE ****

I'm trying to setup a new firewall config on a web server and was curious about something I noticed. Specifically, after I changed the INPUT chain policy to default DROP it seems that whenever I do an 'iptables -L' it takes a good 30 seconds to dump to output. Previously this only took about 1 second. Is there something funky in my config that may cause something like this?

Here's my current dump of /etc/sysconfig/iptables:
# Generated by iptables-save v1.3.5 on Mon Jan 31 10:36:35 2011
*filter
:INPUT DROP [33:5345]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [129:15384]
:fail2ban-ApacheAuth - [0:0]
:fail2ban-ApachePHPbot - [0:0]
:fail2ban-BadBots - [0:0]
:fail2ban-SSH - [0:0]
-A INPUT -s XXXXXXXXXXXXX -j ACCEPT 
-A INPUT -s XXXXXXXXXXX/255.255.255.224 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j fail2ban-ApacheAuth 
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots 
-A INPUT -p tcp -m tcp --dport 80 -j fail2ban-ApachePHPbot 
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH 
-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A OUTPUT -d XXXXXXXX/255.255.255.224 -j ACCEPT 
-A fail2ban-ApacheAuth -j RETURN 
-A fail2ban-ApachePHPbot -j RETURN 
-A fail2ban-BadBots -j RETURN 
-A fail2ban-SSH -s XXXXXXXXXX -j DROP 
-A fail2ban-SSH -j RETURN 
COMMIT
# Completed on Mon Jan 31 10:36:35 2011

A couple of things to point out, I'm using fail2ban so I have some extra chains in there that it added. The top two INPUT rules are IPs of the servers that need access to everything (that's why they are first). I didn't build this config by hand but instead added rules manually in CLI and then did 'service iptables save'. Oh yeah... I'm on CentOS 5.5 if it's relevant to anyone. The blanked out XXXXs are IP addresses (not hostname).

I saw similar issues of this in Google but wasn't able to peg down an answer.

Thanks!
Mike

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug