Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] IPTABLES Command slows down the machine
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Fri, 25 Jul 2003 15:25:43 +0200
  • Message-id: <84ECB0B9D002A54EA3E926AAA94E5808019099@xxxxxxxxxxxxxx>
Hmmm... Things seems to be stable now.

I need to thank all the people out there who have contributed with a lot
of helpful hints and tips.

Also, I think i learned my lesson today. I have been designing the rules
on a completely wrong assumption. What I did not quite understand, until
few minutes ago, was how the IPTABLES work. Then I came to think of
this: when an FTP client initiates a passive session it will only talk
to the firewall because it will most probably not know the real IP of
the destination. Only in my "little" world, i do know it. So this got me
thinking... When I only "talk" to the firewall, it's by definition a
INPUT rule which leads to some processing before it eventually goes to
the OUTPUT chain an then eventually leaves the firewall.

All the time, i designed FORWARD chains.... Oh well, crash course linux
... A newbies life is not easy, and TGIF...

Cheers and have a nice week end all
Knut Erik

-----Original Message-----
From: Mark Perry [mailto:PERRY@xxxxxxxxxx]
Sent: Friday, July 25, 2003 2:53 PM
To: Knut Erik Hauslo
Subject: RE: [suse-security] IPTABLES Command slows down the machine



Best would be to add some logging. Add something similar to these
statements to the end of your script:

iptables --append INPUT \
--jump LOG \
--log-level info \
--log-prefix "iptables t=INPUT:"

iptables --append OUTPUT \
--jump LOG \
--log-level info \
--log-prefix "iptables t=OUTPUT:"

iptables --append FORWARD \
--jump LOG \
--log-level info \
--log-prefix "iptables t=FORWARD:"

Providing you don't have any DROP rules before these statements then
anything about to reach the default DROP policy will get LOG'ed.

Then depending how your /etc/syslog.conf has been setup you will see
these logged messages probably in /var/log/messages.

NOTE: the above can be much more sophisticated, but a basic log will be
better than none ;-)

All the Best / Mit Freundlichen Gruessen
Mark G. Perry

IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
Schoenaicher Strasse 220, 71032 Boeblingen, Germany
Email/Sametime: perry@xxxxxxxxxx
Office Tel: (+49)-7031-16-3626

< Previous Next >