LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-15-2011, 03:57 PM   #1
CordellStewart
LQ Newbie
 
Registered: Sep 2011
Posts: 3

Rep: Reputation: Disabled
HTTPS Slow after installing IPTables


Hi guys,

Problem: When hitting the HTTPS web server response time slows and it takes 2-3 minutes per page to load and eventually the transactions time out on the third page. This only happens with IPTables filtering. Response time to the HTTP web servers are quick and as expected.

My current set up is simple, I have ALL ports (both tcp and udp) open for each of the server’s IP address. I know I need additional configuration, but don’t want to complicate the issue until I clear up the slow HTTPS problem. Also, these PCs are on a secured network but not part of our Active Directory or the fortress. They do not need to communicate with our DNS or Proxy servers.

iptables -A INPUT DROP
iptables -A FORWARD DROP

# WEB SERVER 1
iptables -A INPUT -s 1.1.1.1 -p tcp --dport 0:65535 -j ACCEPT
iptables -A INPUT -s 1.1.1.1 -p udp --dport 0:65535 -j ACCEPT

# WEB SERVER 2
iptables -A INPUT -s 1.2.2.2 -p tcp --dport 0:65535 -j ACCEPT
iptables -A INPUT -s 1.2.2.2 -p udp --dport 0:65535 -j ACCEPT

# SECURE WEB SERVER 2
iptables -A INPUT -s 1.3.3.3 -p tcp --dport 0:65535 -j ACCEPT
iptables -A INPUT -s 1.3.3.3 -p udp --dport 0:65535 -j ACCEPT

# FTP SERVER (for remote management)
iptables -A INPUT -s 1.4.4.4 -p tcp --dport 0:65535 -j ACCEPT

iptables -A INPUT -j DROP


This is a stripped down version of Debian with IPTables (no nat, mangle or raw filtering) on a HP Thin Client PC. I'm trying to restrict the access in and out of the box as it is to be used for internet based credit card transactions in a public area.

With IPTables not filtering I can access the three web servers without a problem. The first secure page the system hits takes about 20 seconds to load and then the rest of the secure pages load quickly. The OS has SSL 3.0 and TLS 1.0. The secure based transactions are using SSL.

What am I missing? Why does this work with IPTables off and work slow with it on?

Thanks for any help.
 
Old 09-15-2011, 04:03 PM   #2
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Ubuntu 12.04, Antix19.3
Posts: 3,794

Rep: Reputation: 282Reputation: 282Reputation: 282
Check your log files; specifically the ones that Apache creates for SSL connections.
 
Old 09-15-2011, 04:06 PM   #3
erik777
LQ Newbie
 
Registered: Feb 2009
Posts: 18

Rep: Reputation: 0
I can say that a correctly configured IP Tables should have virtually no impact on performance, or negligible. You're more likely to fill up your bandwidth capacity before IP Tables becomes a bottleneck. I run it on very hold hardware purchased in the 1990s and am very happy.

That said, I highly recommend a tool called Firewall Builder (http://www.fwbuilder.org/). It is a GUI tool that makes it easy. Define all your networks, nodes, etc, in it. Then, it generates a script you run to update IP tables.

Don't forget to include all local communications. I'd guess from your limited script that you are not including the normal internal communications that need to be permitted, including outgoing communication from your web server for things like DNS lookups.

I'd give you more details or examples, but don't have access to my configuration at the moment.
 
Old 09-15-2011, 05:20 PM   #4
CordellStewart
LQ Newbie
 
Registered: Sep 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks for the suggestions and I agree that a correctly configured firewall should not be affecting this.

My concern is how the HTTPS transactions are handled and if the transactions could be being routed differently, meaning I need more entries. Do you think adding the NAT piece of IPTables could correct this? I.E. allowing ESTABLISHED and RELATED transactions or is that not an issue because I’ve opened up the IP address for all communications?

In testing, I’ve added our DNS and Proxy server addresses. No change. I contacted the third network and added everything they thought might help (DNS, Proxy and two other servers for outside connections for recursions and non recursion enabled access control). No change.

Thanks again!
 
Old 09-15-2011, 05:23 PM   #5
CordellStewart
LQ Newbie
 
Registered: Sep 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Can I use the IPTables logging to get the SSL data? If so, do you know what I would add?
 
Old 09-16-2011, 12:36 AM   #6
erik777
LQ Newbie
 
Registered: Feb 2009
Posts: 18

Rep: Reputation: 0
Yes, try enabling NAT. That was one lesson I had when I had a similar problem like yours. Basically, I always thought of NAT as routing incoming traffic through a public IP to a private one, which is one use of it. But, with iptables, it also serves to handle outgoing traffic. Unless your web server is using a different gateway, you'll probably need NAT enabled and configured for this to happen.

The resulting rules that are generated in my case are many and complex, most beyond my understanding. Viewing with webmin, I can say that the first line appears to be:

Accept If state of connection is RELATED,ESTABLISHED

which is designed to support tcp/ip state.

Is your firewall just running on the web server? Does the computer it is on have public/WAN IPs, or is it completely private (with the exception that maybe you are NAT'ing from public to private on another firewall?)

In my case, my web servers are completely inside, with no public IP assigned to them. Public traffic gets to them via NAT, so the firewall on the web servers themselves don't have to worry about a WAN (Internet) interface. If this is the case, then I can say I only modified the original default Centos/RH firewall via webmin, basically just inserting ACCEPT entries to open ports.

Looking at webmin, there is one chain it runs for all INPUT and FORWARD packets. In this chain, it accepts if interface is lo, connection is ESTABLISHED,RELATED, and if the ports match (ports you want opened). Lastly, it always rejects anything that didn't match.

Running iptables -L, I can say that it does not contain any IP addresses because it is only applied to the current box and not used as a gateway or router.

In contrast, the one I manage with Firewall Builder does act as a gateway and router, and it is loaded with IP addresses and subnets and many chains and rules. But, in Firewall Builder, it is interestingly simple.

Last edited by erik777; 09-16-2011 at 12:39 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to block https using iptables pavangogineni Linux - Networking 12 03-12-2012 10:31 AM
Squid with IPTABLES not allowing https riaanc1 Linux - Newbie 1 10-07-2009 02:33 AM
how to block https using iptables pavangogineni Linux - Security 2 10-19-2006 12:49 AM
iptables masquarading problem with https grayFalcon Linux - Networking 1 12-09-2005 08:38 AM
Iptables and https sturla69 Linux - Security 6 09-16-2003 10:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration