iptables configuration help!!!! slows system startup i tink modprobe problem

haxpak · 01-17-2009, 06:54 PM

am running fc-9.0 x86_64
i have a squid 2.5 stable 3 running on my system
i have provided following configuration for iptables 1.4

Code:

#!/bin/sh

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=10.168.1.0/24

### flush existing rules and set chain policy setting to DROP

echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

### load connection-tracking modules

$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

###### INPUT chain ######

echo "[+] Setting up INPUT chain..."

### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
#$IPTABLES -A INPUT -i eth0 -s ! $INT_NET --syn -m state --state NEW -j LOG --log-prefix "INTRUSION"
#$IPTABLES -A INPUT -i eth0 -s ! $INT_NET --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules

$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A INPUT -i eth1 -s ! $INT_NET -j DROP

### ACCEPT rules

$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 8080 -j ACCEPT # 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -s $INT_NET --dport 80 -j ACCEPT

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### OUTPUT chain ######
echo "[+] Setting up OUTPUT chain..."
### state tracking rules

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out

$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule

$IPTABLES -A OUTPUT -o ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

then after running this script
i did

Code:

service iptables save

when ever i restart my system

NFS statd fails to start

also my system responds very slowly
and squid doesnt respond

is it because modprobe is being initialized in the script but i did not find any similar lines in iptables.conf

what is modprobe and what is it doing to my system
i am a noob so do not know which files to look in to identify the problems

any kind of help is very welcome
please help me
i am stuck with an awfully slow comp now

"for now i have turned off iptables"

Hari Gold · 01-17-2009, 07:55 PM

Hi haxpax,
Modprobe loads modules into the kernel and does so cleverly. You don't have any nat rules, so I am guessing that the two nat modules are not required, but in either case they should not adversely affect performance. What exactly is slow? Try running top and vmstat 1 to see what resource you are short of and which process is using it up.

Regarding squid, I don't see any squid rules in iptables. What are you trying to do with squid? What role does this machine play on your network? Is it a workstation or a server?

haxpak · 01-17-2009, 10:32 PM

thanks hari....

well i ran vmstat
this is what the output looks like
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
2 0 892 6236 3448 130664 0 0 42 39 136 573 3 1 94 2 0

when iptables is OFF

well on statup
the boot process is extremely slow
also nfs statd fails to load

well i am doing it as a part of setting a security setup for my lab network as my project for final term engg

i am trying to setup an authntication system system for the users accesing internal network
this is part of firewall i am trying to estb

and i also want to include intrusion detection and prevention system

on enabling iptables with the above said config
gnome gives an error window saying some necessary modules failed to load and some services like desktop managment might not be available

the config of the system i am using is:
2.6 ghz
intel 865 mb
512 mb ram