RE: [suse-security] IPTABLES Command slows down the machine
Hmmm... Things seems to be stable now. I need to thank all the people out there who have contributed with a lot of helpful hints and tips. Also, I think i learned my lesson today. I have been designing the rules on a completely wrong assumption. What I did not quite understand, until few minutes ago, was how the IPTABLES work. Then I came to think of this: when an FTP client initiates a passive session it will only talk to the firewall because it will most probably not know the real IP of the destination. Only in my "little" world, i do know it. So this got me thinking... When I only "talk" to the firewall, it's by definition a INPUT rule which leads to some processing before it eventually goes to the OUTPUT chain an then eventually leaves the firewall. All the time, i designed FORWARD chains.... Oh well, crash course linux ... A newbies life is not easy, and TGIF... Cheers and have a nice week end all Knut Erik -----Original Message----- From: Mark Perry [mailto:PERRY@de.ibm.com] Sent: Friday, July 25, 2003 2:53 PM To: Knut Erik Hauslo Subject: RE: [suse-security] IPTABLES Command slows down the machine Best would be to add some logging. Add something similar to these statements to the end of your script: iptables --append INPUT \ --jump LOG \ --log-level info \ --log-prefix "iptables t=INPUT:" iptables --append OUTPUT \ --jump LOG \ --log-level info \ --log-prefix "iptables t=OUTPUT:" iptables --append FORWARD \ --jump LOG \ --log-level info \ --log-prefix "iptables t=FORWARD:" Providing you don't have any DROP rules before these statements then anything about to reach the default DROP policy will get LOG'ed. Then depending how your /etc/syslog.conf has been setup you will see these logged messages probably in /var/log/messages. NOTE: the above can be much more sophisticated, but a basic log will be better than none ;-) All the Best / Mit Freundlichen Gruessen Mark G. Perry IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH Schoenaicher Strasse 220, 71032 Boeblingen, Germany Email/Sametime: perry@de.ibm.com Office Tel: (+49)-7031-16-3626
participants (1)
-
Knut Erik Hauslo