iptables slowing things down

treebug · 11-27-2007, 09:59 AM

When I try to ssh into my machine running iptables, I get the login prompt and type in the username. It takes about 17 seconds for the password prompt to come up when I have iptables on.

Also, if I do an iptables -L it takes about 30 seconds to display the list.
Do I have something misconfigured?

/sbin/iptables -F
/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.3 -p udp -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.4 -p udp -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.1 -p udp --dport 123 -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -j DROP

Thanks.

win32sux · 11-27-2007, 11:50 AM

Does the SSH work fine if you set policies to ACCEPT and flush?

BTW, sticking a LOG rule above that DROP should give you the necessary insight.

treebug · 11-27-2007, 03:03 PM

It logs in fine when I flush the rules. I also moved the ssh rule to the top. This didn't change anything. I set the last rule as -j ACCEPT instead of DROP and it gives me the password prompt right away.

win32sux · 11-27-2007, 04:33 PM

Quote:

Originally Posted by treebug

I set the last rule as -j ACCEPT instead of DROP and it gives me the password prompt right away.

That's great, because it means for sure its the firewall rules.

Maybe post what you get in the log file when you try to connect?

Code:

/sbin/iptables -F
/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.3 -p udp -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.4 -p udp -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.1 -p udp --dport 123 -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -j LOG --log-prefix "INPUT DROP: "
/sbin/iptables -A INPUT -j DROP

treebug · 11-28-2007, 02:15 PM

I only see a lot of dropped broadcasted traffic.

nx5000 · 11-28-2007, 02:23 PM

Maybe dns blocked and the server is asking for the name of the client?
Which would also explain why iptables -L is slow.
iptables -nL is also slow?

treebug · 11-29-2007, 02:38 PM

THATS IT!
iptables -nL works geat!

nx5000 · 11-29-2007, 03:13 PM

90% of the time when something takes very long to connect you (ftp, ssh,..) and then finally works, it's a DNS problem.

win32sux · 11-30-2007, 07:41 AM

Yup. That's true. BTW, I think I might have spotted the problem:

Quote:

/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

Notice how it only matches against TCP packets. That would mean the returning UDP packets for the DNS lookups wouldn't get sent to ACCEPT by it. Your box may be doing TCP-fallback after a while when it realizes UDP didn't work, I don't know. You also are missing a rule for the loopback interface, which although likely not related to your current issue is still a pretty standard rule to have. Try this:

Code:

/sbin/iptables -F
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.3 -p udp -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.4 -p udp -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.1 -p udp --dport 123 -j ACCEPT
/sbin/iptables -A INPUT -s x.x.x.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -j DROP