LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   iptables configuration help!!!! slows system startup (https://www.linuxquestions.org/questions/linux-newbie-8/iptables-configuration-help-slows-system-startup-697952/)

haxpak 01-17-2009 11:57 AM
iptables configuration help!!!! slows system startup
 
I am running fc-9.0 x86_64
i have a squid 2.5 stable 3 running on my system
i have provided following configuration for iptables 1.4

Code:
#!/bin/sh

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=10.168.1.0/24

### flush existing rules and set chain policy setting to DROP

echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

### load connection-tracking modules

$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

###### INPUT chain ######

echo "[+] Setting up INPUT chain..."

### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
#$IPTABLES -A INPUT -i eth0 -s ! $INT_NET --syn -m state --state NEW -j LOG --log-prefix "INTRUSION"
#$IPTABLES -A INPUT -i eth0 -s ! $INT_NET --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules

$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP

### ACCEPT rules

$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 8080 -j ACCEPT # 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 80 -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### OUTPUT chain ######
echo "[+] Setting up OUTPUT chain..."
### state tracking rules

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule

$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
then after running this script
i did
Code:
service iptables save
when ever i restart my system

NFS statd fails to start

also my system responds very slowly
and squid doesnt respond


is it because modprobe is being initialized in the script but i did not find any similar lines in iptables.conf

what is modprobe and what is it doing to my system
i am a noob so do not know which files to look in to identify the problems

any kind of help is very welcome
please help me
i am stuck with an awfully slow comp now

"for now i have turned off iptables"

haxpak 01-17-2009 06:49 PM
Please anyone please help me eith this one!

Samotnik 01-18-2009 05:38 AM
Where did you find this config? And why you think it's suitable for you?
This config will drop all the connections on localhost (they are needed for any system), and I don't see any rule to alloy squid packets to pass.
You should carefully read man iptables and wrote your own rules.
I don't know the configuration of your system, so I can't help you. But you shoukd at least open all connections on lo interface, and connections to your squid ports from anyone who are allowed to.

haxpak 02-16-2009 08:55 AM
the config was found by me in a book "No.Starch.Press.Linux.Firewalls"

i think it is suitable for me becoz
i have to design a firewall for my project which provides conditional access and provide an intrusion detection capability.

i want to allow only the proxy port to the internal network
so dropping all packets except --dport 8080

8080 is my squid port

squid is working fine with the above config
but
only the problem with gnome

how do i allow all access to lo??
will the following do?
Code:
$IPTABLES -I INPUT -s lo -j ACCEPT


All times are GMT -5. The time now is 07:00 PM.