Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 01-17-2009, 12:57 PM   #1
Registered: Jan 2009
Location: India
Distribution: fc9 x86_64
Posts: 35

Rep: Reputation: 15
Question iptables configuration help!!!! slows system startup

I am running fc-9.0 x86_64
i have a squid 2.5 stable 3 running on my system
i have provided following configuration for iptables 1.4



### flush existing rules and set chain policy setting to DROP

echo "[+] Flushing existing iptables rules..."
$IPTABLES -F -t nat

### load connection-tracking modules

$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

###### INPUT chain ######

echo "[+] Setting up INPUT chain..."

### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
#$IPTABLES -A INPUT -i eth0 -s ! $INT_NET --syn -m state --state NEW -j LOG --log-prefix "INTRUSION"
#$IPTABLES -A INPUT -i eth0 -s ! $INT_NET --syn -m state --state NEW -j DROP

### anti-spoofing rules

$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP

### ACCEPT rules

$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 8080 -j ACCEPT # 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 80 -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### OUTPUT chain ######
echo "[+] Setting up OUTPUT chain..."
### state tracking rules

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

### ACCEPT rules for allowing connections out

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule

$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options
then after running this script
i did
service iptables save
when ever i restart my system

NFS statd fails to start

also my system responds very slowly
and squid doesnt respond

is it because modprobe is being initialized in the script but i did not find any similar lines in iptables.conf

what is modprobe and what is it doing to my system
i am a noob so do not know which files to look in to identify the problems

any kind of help is very welcome
please help me
i am stuck with an awfully slow comp now

"for now i have turned off iptables"
Old 01-17-2009, 07:49 PM   #2
Registered: Jan 2009
Location: India
Distribution: fc9 x86_64
Posts: 35

Original Poster
Rep: Reputation: 15
Please anyone please help me eith this one!
Old 01-18-2009, 06:38 AM   #3
Registered: Jun 2006
Location: Belarus
Distribution: Debian GNU/Linux testing/unstable
Posts: 471

Rep: Reputation: 40
Where did you find this config? And why you think it's suitable for you?
This config will drop all the connections on localhost (they are needed for any system), and I don't see any rule to alloy squid packets to pass.
You should carefully read man iptables and wrote your own rules.
I don't know the configuration of your system, so I can't help you. But you shoukd at least open all connections on lo interface, and connections to your squid ports from anyone who are allowed to.
Old 02-16-2009, 09:55 AM   #4
Registered: Jan 2009
Location: India
Distribution: fc9 x86_64
Posts: 35

Original Poster
Rep: Reputation: 15
the config was found by me in a book "No.Starch.Press.Linux.Firewalls"

i think it is suitable for me becoz
i have to design a firewall for my project which provides conditional access and provide an intrusion detection capability.

i want to allow only the proxy port to the internal network
so dropping all packets except --dport 8080

8080 is my squid port

squid is working fine with the above config
only the problem with gnome

how do i allow all access to lo??
will the following do?


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
kde system tray configuration startup / quit question. uncle-c Linux - Newbie 1 03-22-2007 05:09 PM
iptables slows down the web server gubak Linux - Newbie 2 03-21-2007 04:34 PM
IPtables on system startup Mojojo SUSE / openSUSE 1 06-08-2006 10:47 PM
Problem with iptables on system startup kurtroach Linux - Security 2 06-08-2003 08:03 PM
autostart iptables script on system startup step Linux - Networking 2 03-21-2003 08:25 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:15 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration