iptables -L -v and route lag

tgo · 07-24-2006, 12:04 AM

This is something strange I am noticing on both machines i am running iptables on.

One of them doesnt do this often, but one does almost everytime. Whenever I type 'iptables -L -v' or route it seems like it stalls trying to gather the info. It takes almost 20 or 30 seconds before it prints them all out. I only have like 10 iptables rules and 3 or 4 route statements. Also I run top in another ssh session and memory usage in very low and uptime shows 0.00 across the board.

Any idea why they would struggle so much to give me output?

dalek · 07-24-2006, 12:47 AM

This may help you see it is not just you:

Quote:

root@smoker / # time iptables -L -v
Chain INPUT (policy ACCEPT 30M packets, 48G bytes)
pkts bytes target prot opt in out source destination
1918 115K ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
4676 413K ACCEPT udp -- any any 192.168.100.0/24 anywhere udp dpt:netbios-ns
0 0 ACCEPT tcp -- any any 192.168.100.0/24 anywhere tcp dpt:netbios-ns
3298K 3413M ACCEPT tcp -- any any 192.168.100.0/24 anywhere tcp dpt:netbios-ssn
0 0 ACCEPT udp -- any any 192.168.100.0/24 anywhere udp dpt:netbios-ssn
0 0 ACCEPT tcp -- any any 192.168.100.0/24 anywhere tcp dpt:netbios-dgm
8110 1939K ACCEPT udp -- any any 192.168.100.0/24 anywhere udp dpt:netbios-dgm
26688 23M ACCEPT tcp -- any any 192.168.100.0/24 anywhere tcp dpt:microsoft-ds
0 0 ACCEPT udp -- any any 192.168.100.0/24 anywhere udp dpt:microsoft-ds
1330 349K DROP all -- eth0 any anywhere anywhere state INVALID,NEW

Chain FORWARD (policy ACCEPT 1028K packets, 906M bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth0 any anywhere anywhere state INVALID,NEW

Chain OUTPUT (policy ACCEPT 32M packets, 30G bytes)
pkts bytes target prot opt in out source destination

real 4m42.376s
user 0m0.128s
sys 0m0.012s
root@smoker / #

That took mine almost 5 minutes to run the exact command you gave. From my understanding it is the way it runs the command. It actually looks to find which ones are open instead of just seeing which ones are supposed to be open. In other words, it tests each port instead of just reading some config file. That is how I understood it when I read it somewhere a few weeks ago.

Hope that helps.

rhoekstra · 07-24-2006, 12:54 AM

Try the -n option for both iptables and route. My (fairly certain) guess is that it is looking up hostnames for the IPs, and if it cannot find the hostname, it stalls..

try 'iptables -L -nv' and 'route -n'. It disables name lookups.

archtoad6 · 07-24-2006, 06:51 AM

I agree that the extra time is taken to look up the host names.

I tried the same test on my firewall; & while it was much faster than yours, 5 sec. vs. 5 min., it was also even faster using the -n option: "0m0.088s". The firewall box is an only slightly tweaked SmoothWall Express 2, & has 115 rules which generate 131 lines of -L output.

BTW, the 1st tweak to my "Smoothie" was to put all the hosts on my LAN in its /etc/hosts file. Because SmoothWall Express uses dnsmasq, this results in those associations being part of the (local) DNS for the entire LAN. In other words, the Smoothie's /etc/hosts file becomes the master hosts file for the whole network. So iptables & route run relatively quickly.

Do you have "fixed" (either true static or statically assigned through DHCP) IP's on your LAN? If so, try putting those assignments in the /etc/hosts file of the box that is always slow to return output. If you like the result, then look at the various strategies to do it LAN-wide.

tgo · 07-24-2006, 07:12 PM

The -n option helped alot. Also I had been lazy before and had dns pointed to one of my isp dns servers and last night I set up bind to server internal hosts.

Thanks for your replies.