Find the answer to your Linux question:
Results 1 to 7 of 7
Hi, I configured an iptables and I don't dare to make it permanent because when I activate it my system becomes very slow. For example when I try to open ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2010
    Location
    Amsterdam, The Netherlands
    Posts
    33

    [Debian Testing] Iptables makes system slow


    Hi,


    I configured an iptables and I don't dare to make it permanent because when I activate it my system becomes very slow. For example when I try to open Dolphin then it takes about 30 seconds to let it appear. The same happens when I try to open Kwrite or a PDF.

    And while you're checking my iptables configuration, could you also give me some feedback about it's security or it's logic?

    My system: 2.6.32-5-amd64
    KDE 4.4.5
    Debian Testing

    This is my iptables script:
    Code:
    #!/bin/sh
    IPTABLES=/sbin/iptables
    MODPROBE=/sbin/modprobe
    INT_NET=192.168.1.32/28
    
    #####################################################################
    ###   Flush existing rules and set chain policy setting to DROP   ###
    #####################################################################
    echo "[+] Flushing existing iptables rules..."
    $IPTABLES -F
    $IPTABLES -F -t filter
    $IPTABLES -X
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP
    ### Load connection-tracking modules
    $MODPROBE ip_conntrack
    
    #######################
    ###   INPUT chain   ###
    #######################
    echo "[+] Setting up INPUT chain..."
    ### State tracking rules
    $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
    $IPTABLES -A INPUT -m state --state INVALID -j DROP
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    ### Anti-spoofing rules
    $IPTABLES -A INPUT ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT " 
    $IPTABLES -A INPUT ! -s $INT_NET -j DROP
    ### ACCEPT/REJECT rules for allowing connections in
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    # SSH
    $IPTABLES -A INPUT -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
    # Ping
    $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    # Loopback
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
    ### Default INPUT LOG rule
    $IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
    
    ########################
    ###   OUTPUT chain   ###
    ########################
    echo "[+] Setting up OUTPUT chain..."
    ### State tracking rules
    $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
    $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
    $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    ### ACCEPT rules for allowing connections out
    # SSH
    $IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
    # Whois
    $IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
    # DNS
    $IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    # HTTP
    $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
    # HTTPS
    $IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
    # MSN
    $IPTABLES -A OUTPUT -p tcp --dport 1863 --syn -m state --state NEW -j ACCEPT
    # RWhois
    $IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
    # Google Talk
    $IPTABLES -A OUTPUT -p tcp --dport 5222 --syn -m state --state NEW -j ACCEPT
    # KTorrent
    $IPTABLES -A OUTPUT -p tcp --dport 6881 --syn -m state --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -p udp --dport 4444 -m state --state NEW -j ACCEPT
    # Teamspeak Voice 
    $IPTABLES -A OUTPUT -p udp --dport 9987 -m state --state NEW -j ACCEPT
    # Teamspeak Filetransfer
    $IPTABLES -A OUTPUT -p tcp --dport 30033 --syn -m state --state NEW -j ACCEPT
    # Teamspeak Serverquery
    $IPTABLES -A OUTPUT -p tcp --dport 10011 --syn -m state --state NEW -j ACCEPT
    # Ping
    $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    ### Default OUTPUT LOG rule
    $IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
    
    #########################
    ###   FORWARD chain   ###
    #########################
    echo "[+] Setting up FORWARD chain..."
    ### State tracking rules
    $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
    $IPTABLES -A FORWARD -m state --state INVALID -j DROP
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    ### Anti-spoofing rules
    $IPTABLES -A FORWARD ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "
    $IPTABLES -A FORWARD ! -s $INT_NET -j DROP
    ### Default FORWARD LOG rule
    $IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
    
    ######################
    ###   Forwarding   ###
    ######################
    echo "[+] Enabling IP forwarding..."
    echo 1 > /proc/sys/net/ipv4/ip_forward

  2. #2
    RDU
    RDU is offline
    Just Joined!
    Join Date
    Aug 2010
    Posts
    89
    You missed the line :
    iptables -A OUTPUT -o lo -j ACCEPT

    Also, the 2 ACCEPT for interface 'lo' (in OUTPUT and INPUT chains) have to be put at the first rule of the chain for best performance and also to be sure they don't be masked by another rule.

  3. #3
    Just Joined!
    Join Date
    Aug 2010
    Location
    Amsterdam, The Netherlands
    Posts
    33
    Quote Originally Posted by RDU View Post
    You missed the line :
    iptables -A OUTPUT -o lo -j ACCEPT

    Also, the 2 ACCEPT for interface 'lo' (in OUTPUT and INPUT chains) have to be put at the first rule of the chain for best performance and also to be sure they don't be masked by another rule.

    Why should I want to have a rule that would allow a local loopback interface outbound towards the global internet? I commented those 'lo' lines out completely before, but they didn't had any effect. The system still slows down after I enabled my tables. So I don't think it has anything to do with that, unless you can back it a up a bit? Tomorrow I'll check 'dmesg' thoroughly again.

  4. #4
    Just Joined!
    Join Date
    Aug 2010
    Location
    Amsterdam, The Netherlands
    Posts
    33
    Nobody else?

  5. #5
    RDU
    RDU is offline
    Just Joined!
    Join Date
    Aug 2010
    Posts
    89
    the lo output is not only to go to the internet but you can have network communication between two local process e.g. 127.0.0.1 -> 127.0.0.1, so it need to be accepted in the OUTPUT and INPUT chain on the lo interface.

    To test if something is blocked, add a LOG rule for EVERYTHING (including lo) at the end of each chain (IN, OUT, FWD), then check the log

  6. #6
    RDU
    RDU is offline
    Just Joined!
    Join Date
    Aug 2010
    Posts
    89
    Also, did you check your name resolution is working well and fast when your script is active?

  7. #7
    Just Joined!
    Join Date
    Aug 2010
    Location
    Amsterdam, The Netherlands
    Posts
    33
    It was indeed a loopback issue, in my anti spoofing rules I rejected all traffic that wasn't in my network domain (192.168.1.32/2. So that includes loopback addresses. I moved the loopback rules all the way up, now it works perfect! Thanks!

    Code:
    #!/bin/sh
    IPTABLES=/sbin/iptables
    MODPROBE=/sbin/modprobe
    INT_NET=192.168.1.32/28
    LO=127.0.0.0/8
    
    #####################################################################
    ###   Flush existing rules and set chain policy setting to DROP   ###
    #####################################################################
    echo "[+] Flushing existing iptables rules..."
    $IPTABLES -F
    $IPTABLES -F -t filter
    $IPTABLES -X
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP
    ### Load connection-tracking modules
    $MODPROBE ip_conntrack
    
    #######################
    ###   INPUT chain   ###
    #######################
    echo "[+] Setting up INPUT chain..."
    ### State tracking rules
    $IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
    $IPTABLES -A INPUT -m state --state INVALID -j DROP
    $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    ### Loopback rules
    $IPTABLES -A INPUT -i lo -s $LO -d $LO -m state --state NEW -j ACCEPT
    $IPTABLES -A INPUT ! -i lo -s $LO -d $LO -m state --state NEW -j REJECT
    ### Anti-spoofing rules
    $IPTABLES -A INPUT ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT " 
    $IPTABLES -A INPUT ! -s $INT_NET -j DROP
    ### ACCEPT rules for allowing connections in
    # SSH
    $IPTABLES -A INPUT -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW  -m recent --update --seconds 15 -j DROP
    $IPTABLES -A INPUT -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
    # Ping
    $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    ### Default INPUT LOG rule
    $IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
    
    ########################
    ###   OUTPUT chain   ###
    ########################
    echo "[+] Setting up OUTPUT chain..."
    ### State tracking rules
    $IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
    $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
    $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    ### ACCEPT rules for allowing connections out
    # Loopback
    $IPTABLES -A OUTPUT -o lo -s $LO -d $LO -m state --state NEW -j ACCEPT
    # SSH
    $IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
    # Whois
    $IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
    # DNS
    $IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    # HTTP
    $IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
    # HTTPS
    $IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
    # MSN
    $IPTABLES -A OUTPUT -p tcp --dport 1863 --syn -m state --state NEW -j ACCEPT
    # RWhois
    $IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
    # Google Talk
    $IPTABLES -A OUTPUT -p tcp --dport 5222 --syn -m state --state NEW -j ACCEPT
    # KTorrent
    $IPTABLES -A OUTPUT -p tcp --dport 6881 --syn -m state --state NEW -j ACCEPT
    $IPTABLES -A OUTPUT -p udp --dport 4444 -m state --state NEW -j ACCEPT
    # Teamspeak Voice 
    $IPTABLES -A OUTPUT -p udp --dport 9987 -m state --state NEW -j ACCEPT
    # Teamspeak Filetransfer
    $IPTABLES -A OUTPUT -p tcp --dport 30033 --syn -m state --state NEW -j ACCEPT
    # Teamspeak Serverquery
    $IPTABLES -A OUTPUT -p tcp --dport 10011 --syn -m state --state NEW -j ACCEPT
    # Ping
    $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
    ### Default OUTPUT LOG rule
    $IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
    
    #########################
    ###   FORWARD chain   ###
    #########################
    echo "[+] Setting up FORWARD chain..."
    ### State tracking rules
    $IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
    $IPTABLES -A FORWARD -m state --state INVALID -j DROP
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    ### Anti-spoofing rules
    $IPTABLES -A FORWARD ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "
    $IPTABLES -A FORWARD ! -s $INT_NET -j DROP
    ### Default FORWARD LOG rule
    $IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •