Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Problem: When hitting the HTTPS web server response time slows and it takes 2-3 minutes per page to load and eventually the transactions time out on the third page. This only happens with IPTables filtering. Response time to the HTTP web servers are quick and as expected.
My current set up is simple, I have ALL ports (both tcp and udp) open for each of the server’s IP address. I know I need additional configuration, but don’t want to complicate the issue until I clear up the slow HTTPS problem. Also, these PCs are on a secured network but not part of our Active Directory or the fortress. They do not need to communicate with our DNS or Proxy servers.
iptables -A INPUT DROP
iptables -A FORWARD DROP
# WEB SERVER 1
iptables -A INPUT -s 1.1.1.1 -p tcp --dport 0:65535 -j ACCEPT
iptables -A INPUT -s 1.1.1.1 -p udp --dport 0:65535 -j ACCEPT
# WEB SERVER 2
iptables -A INPUT -s 1.2.2.2 -p tcp --dport 0:65535 -j ACCEPT
iptables -A INPUT -s 1.2.2.2 -p udp --dport 0:65535 -j ACCEPT
# SECURE WEB SERVER 2
iptables -A INPUT -s 1.3.3.3 -p tcp --dport 0:65535 -j ACCEPT
iptables -A INPUT -s 1.3.3.3 -p udp --dport 0:65535 -j ACCEPT
# FTP SERVER (for remote management)
iptables -A INPUT -s 1.4.4.4 -p tcp --dport 0:65535 -j ACCEPT
iptables -A INPUT -j DROP
This is a stripped down version of Debian with IPTables (no nat, mangle or raw filtering) on a HP Thin Client PC. I'm trying to restrict the access in and out of the box as it is to be used for internet based credit card transactions in a public area.
With IPTables not filtering I can access the three web servers without a problem. The first secure page the system hits takes about 20 seconds to load and then the rest of the secure pages load quickly. The OS has SSL 3.0 and TLS 1.0. The secure based transactions are using SSL.
What am I missing? Why does this work with IPTables off and work slow with it on?
I can say that a correctly configured IP Tables should have virtually no impact on performance, or negligible. You're more likely to fill up your bandwidth capacity before IP Tables becomes a bottleneck. I run it on very hold hardware purchased in the 1990s and am very happy.
That said, I highly recommend a tool called Firewall Builder (http://www.fwbuilder.org/). It is a GUI tool that makes it easy. Define all your networks, nodes, etc, in it. Then, it generates a script you run to update IP tables.
Don't forget to include all local communications. I'd guess from your limited script that you are not including the normal internal communications that need to be permitted, including outgoing communication from your web server for things like DNS lookups.
I'd give you more details or examples, but don't have access to my configuration at the moment.
Thanks for the suggestions and I agree that a correctly configured firewall should not be affecting this.
My concern is how the HTTPS transactions are handled and if the transactions could be being routed differently, meaning I need more entries. Do you think adding the NAT piece of IPTables could correct this? I.E. allowing ESTABLISHED and RELATED transactions or is that not an issue because I’ve opened up the IP address for all communications?
In testing, I’ve added our DNS and Proxy server addresses. No change. I contacted the third network and added everything they thought might help (DNS, Proxy and two other servers for outside connections for recursions and non recursion enabled access control). No change.
Yes, try enabling NAT. That was one lesson I had when I had a similar problem like yours. Basically, I always thought of NAT as routing incoming traffic through a public IP to a private one, which is one use of it. But, with iptables, it also serves to handle outgoing traffic. Unless your web server is using a different gateway, you'll probably need NAT enabled and configured for this to happen.
The resulting rules that are generated in my case are many and complex, most beyond my understanding. Viewing with webmin, I can say that the first line appears to be:
Accept If state of connection is RELATED,ESTABLISHED
which is designed to support tcp/ip state.
Is your firewall just running on the web server? Does the computer it is on have public/WAN IPs, or is it completely private (with the exception that maybe you are NAT'ing from public to private on another firewall?)
In my case, my web servers are completely inside, with no public IP assigned to them. Public traffic gets to them via NAT, so the firewall on the web servers themselves don't have to worry about a WAN (Internet) interface. If this is the case, then I can say I only modified the original default Centos/RH firewall via webmin, basically just inserting ACCEPT entries to open ports.
Looking at webmin, there is one chain it runs for all INPUT and FORWARD packets. In this chain, it accepts if interface is lo, connection is ESTABLISHED,RELATED, and if the ports match (ports you want opened). Lastly, it always rejects anything that didn't match.
Running iptables -L, I can say that it does not contain any IP addresses because it is only applied to the current box and not used as a gateway or router.
In contrast, the one I manage with Firewall Builder does act as a gateway and router, and it is loaded with IP addresses and subnets and many chains and rules. But, in Firewall Builder, it is interestingly simple.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.