I am only allowing ports 21 and 80 outbound, and 80 inbound (customer specs - plz do not comment on this, i know it weird but they are somewhat paranoid). But your hint, regarding DNS got me checking the DNS settings. I had forgotten to remove a DNS server that's no longer active. A reboot after removal of DNS-Server setting did not show any improvements... My script looks as follows: #!/bin/sh # # Initial SIMPLE IP Firewall script # iptables -F iptables -X iptables -Z INET_IP="192.168.1.254" INET_IFACE="eth1" INET_BROADCAST="192.168.1.255" LAN_IP="172.19.6.254" LAN_IP_RANGE="172.16.0.0/16" LAN_IFACE="eth0" LO_IFACE="lo" LO_IP="127.0.0.1" IPTABLES="/usr/sbin/iptables" /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state /sbin/modprobe ip_conntrack_ftp echo "1" > /proc/sys/net/ipv4/ip_forward $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # INPUT Rules # Need not be activated as we have no services running on local machine # Security Tests are to come # FORWARD Rules $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # HTTP-Requests outbound $IPTABLES -A FORWARD -p TCP -s 172.19.0.0/16 -d 192.168.1.0/24 --dport 80 -j ACCEPT # HTTP Requests inbound $IPTABLES -A FORWARD -p TCP -s 192.168.1.0/24 -d 172.19.0.0/16 --dport 80 -j ACCEPT # Settings for active FTP # FTP Control Connection outbound $IPTABLES -A FORWARD -p TCP -s 172.19.0.0/16 -d 192.168.1.0/24 --dport 21 -j ACCEPT # FTP Data Connection inbound - comment next line if only passive FTP is going to be used $IPTABLES -A FORWARD -p TCP -s 192.168.1.0/24 --sport 20 -d 172.19.0.0/16 --dport 1024: -j ACCEPT # Settings for passive FTP # FTP Data Connection outbound $IPTABLES -A FORWARD -p TCP -s 172.19.0.0/16 --sport 1024: -d 192.168.1.0/24 --dport 1024: -j ACCEPT # OUTPUT Rules $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT -----Original Message----- From: Mark Perry [mailto:PERRY@de.ibm.com] Sent: Friday, July 25, 2003 12:27 PM To: Knut Erik Hauslo Cc: suse-security@suse.com Subject: Re: [suse-security] IPTABLES Command slows down the machine Are you perhaps restricting some ports that are required by some of the applications run during KDE startup? For example are you blocking DNS? In any case you should design your iptables script to LOG DROPS/REJECTS so that you can see what your iptables rules are actually doing.

From the information you have presented no one is likely to give you an exact answer.

If you wish more assistance please show your script and any LOG'ed records that may be relevant. All the Best / Mit Freundlichen Gruessen Mark G. Perry IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH Schoenaicher Strasse 220, 71032 Boeblingen, Germany Email/Sametime: perry@de.ibm.com Office Tel: (+49)-7031-16-3626 |---------+----------------------------> | | "Knut Erik | | | Hauslo" | | | <KNUTH@voelcker.c| | | om> | | | | | | 25/07/2003 11:16 | | | | |---------+---------------------------->

----------------------------------------------------------------------- --------------------------------------------------------| | | | To: <suse-security@suse.com> | | cc: | | Subject: [suse-security] IPTABLES Command slows down the machine | | |

----------------------------------------------------------------------- --------------------------------------------------------|

Hi all, I have a nice IPTABLES Script which i start upon booting the server (/etc/init.d/boot.local). One of the first commands is this line: IPTABLES="/usr/sbin/iptables" If if run the script without this command, none of the rules are active. If i boot my server with the above command enabled however, the KDE login takes so much longer time and any application I start takes long to open too. The rules are working fine, and it seems that firewall-functions are being handled in a timely fashion (i have tested it while having my sniffer observe..) PS: I am a newbie to Linux and IPTABLES, please beare with me. Cheers Knut Erik -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here