Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] IPTABLES Command slows down the machine
  • From: "Mark Perry" <PERRY@xxxxxxxxxx>
  • Date: Fri, 25 Jul 2003 13:19:35 +0200
  • Message-id: <OF9A2739F4.04B2D0B6-ONC1256D6E.003DD0DA-C1256D6E.003E6677@xxxxxxxxxx>

I don't see any allowance for INPUT on IFC=lo?

I always start my scripts by allowing the local loopback interface - I'll
allow others on the List to make the own comments ;-)
But here's how my iptable scripts start:

#
# Enable all I/O to/from the local loopback interface
#
iptables --append INPUT \
--in-interface lo \
--jump ACCEPT

iptables --append OUTPUT \
--out-interface lo \
--jump ACCEPT

#--------------------------------#

#
# Establish our harsh drop-all default policies
#
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

Also I normally specify the interface on *most* of my rules.

Anyway thats my first impression, not given any LOG'ed records to review.

All the Best / Mit Freundlichen Gruessen
Mark G. Perry

IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
Schoenaicher Strasse 220, 71032 Boeblingen, Germany
Email/Sametime: perry@xxxxxxxxxx
Office Tel: (+49)-7031-16-3626


|---------+---------------------------->
| | "Knut Erik |
| | Hauslo" |
| | <KNUTH@xxxxxxxxxx|
| | om> |
| | |
| | 25/07/2003 12:56 |
| | |
|---------+---------------------------->
>-------------------------------------------------------------------------------------------------------------------------------|
| |
| To: Mark Perry/Germany/Contr/IBM@IBMDE |
| cc: <suse-security@xxxxxxxx> |
| Subject: RE: [suse-security] IPTABLES Command slows down the machine |
| |
>-------------------------------------------------------------------------------------------------------------------------------|




I am only allowing ports 21 and 80 outbound, and 80 inbound (customer
specs - plz do not comment on this, i know it weird but they are
somewhat paranoid).

But your hint, regarding DNS got me checking the DNS settings. I had
forgotten to remove a DNS server that's no longer active. A reboot after
removal of DNS-Server setting did not show any improvements...

My script looks as follows:
#!/bin/sh
#
# Initial SIMPLE IP Firewall script
#
iptables -F
iptables -X
iptables -Z

INET_IP="192.168.1.254"
INET_IFACE="eth1"
INET_BROADCAST="192.168.1.255"

LAN_IP="172.19.6.254"
LAN_IP_RANGE="172.16.0.0/16"
LAN_IFACE="eth0"

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/usr/sbin/iptables"

/sbin/depmod -a

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ip_conntrack_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# INPUT Rules
# Need not be activated as we have no services running on local machine
# Security Tests are to come

# FORWARD Rules
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP-Requests outbound
$IPTABLES -A FORWARD -p TCP -s 172.19.0.0/16 -d 192.168.1.0/24 --dport
80 -j ACCEPT
# HTTP Requests inbound
$IPTABLES -A FORWARD -p TCP -s 192.168.1.0/24 -d 172.19.0.0/16 --dport
80 -j ACCEPT

# Settings for active FTP
# FTP Control Connection outbound
$IPTABLES -A FORWARD -p TCP -s 172.19.0.0/16 -d 192.168.1.0/24 --dport
21 -j ACCEPT
# FTP Data Connection inbound - comment next line if only passive FTP is
going to be used
$IPTABLES -A FORWARD -p TCP -s 192.168.1.0/24 --sport 20 -d
172.19.0.0/16 --dport 1024: -j ACCEPT

# Settings for passive FTP
# FTP Data Connection outbound
$IPTABLES -A FORWARD -p TCP -s 172.19.0.0/16 --sport 1024: -d
192.168.1.0/24 --dport 1024: -j ACCEPT

# OUTPUT Rules
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT


-----Original Message-----
From: Mark Perry [mailto:PERRY@xxxxxxxxxx]
Sent: Friday, July 25, 2003 12:27 PM
To: Knut Erik Hauslo
Cc: suse-security@xxxxxxxx
Subject: Re: [suse-security] IPTABLES Command slows down the machine


Are you perhaps restricting some ports that are required by some of the
applications run during KDE startup? For example are you blocking DNS?

In any case you should design your iptables script to LOG DROPS/REJECTS
so that you can see what your iptables rules are actually doing.

>From the information you have presented no one is likely to give you an
exact answer.

If you wish more assistance please show your script and any LOG'ed
records that may be relevant.

All the Best / Mit Freundlichen Gruessen
Mark G. Perry

IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
Schoenaicher Strasse 220, 71032 Boeblingen, Germany
Email/Sametime: perry@xxxxxxxxxx
Office Tel: (+49)-7031-16-3626


|---------+---------------------------->
| | "Knut Erik |
| | Hauslo" |
| | <KNUTH@xxxxxxxxxx|
| | om> |
| | |
| | 25/07/2003 11:16 |
| | |
|---------+---------------------------->

>-----------------------------------------------------------------------
--------------------------------------------------------|
|
|
| To: <suse-security@xxxxxxxx>
|
| cc:
|
| Subject: [suse-security] IPTABLES Command slows down the
machine |
|
|

>-----------------------------------------------------------------------
--------------------------------------------------------|




Hi all,

I have a nice IPTABLES Script which i start upon booting the server
(/etc/init.d/boot.local).

One of the first commands is this line:
IPTABLES="/usr/sbin/iptables"

If if run the script without this command, none of the rules are active.
If i boot my server with the above command enabled however, the KDE
login takes so much longer time and any application I start takes long
to open too.

The rules are working fine, and it seems that firewall-functions are
being handled in a timely fashion (i have tested it while having my
sniffer observe..)

PS: I am a newbie to Linux and IPTABLES, please beare with me.

Cheers
Knut Erik

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here






--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here






< Previous Next >