Strange slowness problem with iptables

Issues related to configuring your network
niente0
Posts: 5
Joined: 2018/05/07 10:46:26

Strange slowness problem with iptables

Post by niente0 » 2018/05/07 11:00:20

Hello,
on my mailserver I have a strange behavior with iptables rules. When I try to send an email message through this server, it takes many seconds and then the message is sent (so it works but it is very slow).
If at the end of all rules I add "ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0" (so disabling the firewall for the tcp protocol) messages are sent instantly.

Here's my list of rules (note: rules from 37 to 54 are needed for Blackberry mobiles):

Code: Select all

#iptables -L -n --line-numbers

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     udp  --  [mailserverip]       151.99.125.2        udp dpt:53
3    ACCEPT     udp  --  151.99.125.2         [mailserverip]      udp spt:53 dpts:1024:65535
4    ACCEPT     udp  --  [mailserverip]       8.8.8.8             udp dpt:53
5    ACCEPT     udp  --  8.8.8.8              [mailserverip]      udp spt:53 dpts:1024:65535
6    ACCEPT     udp  --  [mailserverip]       151.99.0.100        udp dpt:53
7    ACCEPT     udp  --  151.99.0.100         [mailserverip]      udp spt:53 dpts:1024:65535
8    ACCEPT     udp  --  [mailserverip]       1.1.1.1             udp dpt:53
9    ACCEPT     udp  --  1.1.1.1              [mailserverip]      udp spt:53 dpts:1024:65535
10   ACCEPT     udp  --  [mailserverip]       1.0.0.1             udp dpt:53
11   ACCEPT     udp  --  1.0.0.1              [mailserverip]      udp spt:53 dpts:1024:65535
12   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
14   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
15   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:80
16   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:443
17   ACCEPT     tcp  --  [ourip1]             [mailserverip]      tcp dpt:21
18   ACCEPT     tcp  --  [ourip3]             [mailserverip]      tcp dpt:21
19   ACCEPT     tcp  --  [ourip1]             [mailserverip]      tcp dpt:22
20   ACCEPT     tcp  --  [ourip2]             [mailserverip]      tcp dpt:22
21   ACCEPT     tcp  --  [ourip3]             [mailserverip]      tcp dpt:22
22   ACCEPT     tcp  --  [ourip3]             [mailserverip]      tcp dpt:22
23   ACCEPT     tcp  --  [ourip4]             [mailserverip]      tcp dpt:22
24   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:25
25   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:465
26   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:587
27   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:110
28   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:995
29   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:143
30   ACCEPT     tcp  --  0.0.0.0/0            [mailserverip]      tcp dpt:993
31   ACCEPT     tcp  --  [ourip1]             [mailserverip]      tcp dpts:1024:65535
32   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:783 flags:0x17/0x02
33   ACCEPT     tcp  --  [ourip3]             [mailserverip]      tcp dpts:1024:65535
34   ACCEPT     tcp  --  [mailserverip]       0.0.0.0/0
35   ACCEPT     tcp  --  [ourip1]             0.0.0.0/0           state NEW tcp multiport dports 5901:5903,6001:6003
36   ACCEPT     tcp  --  [ourip3]             0.0.0.0/0           state NEW tcp multiport dports 5901:5903,6001:6003
37   ACCEPT     all  --  206.51.26.0/24       [mailserverip]
38   ACCEPT     all  --  193.109.81.0/24      [mailserverip]
39   ACCEPT     all  --  204.187.87.0/24      [mailserverip]
40   ACCEPT     all  --  206.53.144.0/20      [mailserverip]
41   ACCEPT     all  --  216.9.240.0/20       [mailserverip]
42   ACCEPT     all  --  67.223.64.0/19       [mailserverip]
43   ACCEPT     all  --  93.186.16.0/20       [mailserverip]
44   ACCEPT     all  --  68.171.224.0/19      [mailserverip]
45   ACCEPT     all  --  74.82.64.0/19        [mailserverip]
46   ACCEPT     all  --  173.247.32.0/19      [mailserverip]
47   ACCEPT     all  --  178.239.80.0/20      [mailserverip]
48   ACCEPT     all  --  180.149.148.0/23     [mailserverip]
49   ACCEPT     all  --  180.149.151.0/24     [mailserverip]
50   ACCEPT     all  --  180.168.204.0/22     [mailserverip]
51   ACCEPT     all  --  5.100.168.0/21       [mailserverip]
52   ACCEPT     all  --  131.117.168.0/21     [mailserverip]
53   ACCEPT     all  --  103.246.200.0/22     [mailserverip]
54   ACCEPT     all  --  93.186.25.33         [mailserverip]
55   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
56   ACCEPT     icmpv6--  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Any suggestion to solve this problem? (it happens on 2 different mailservers)
Thanks! :D

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Strange slowness problem with iptables

Post by TrevorH » 2018/05/07 11:02:58

Please post the output of the iptables-save command as it's much easier to read than the output of iptables.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

niente0
Posts: 5
Joined: 2018/05/07 10:46:26

Re: Strange slowness problem with iptables

Post by niente0 » 2018/05/07 11:12:35

Yes sure, here it is:

Code: Select all

# Generated by iptables-save v1.4.7 on Mon May  7 12:24:47 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3754:7940828]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 151.99.125.2/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 151.99.125.2/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 8.8.8.8/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 8.8.8.8/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 151.99.0.100/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 151.99.0.100/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 1.1.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 1.1.1.1/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 1.0.0.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 1.0.0.1/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s [ourip1]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s [ourip3]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s [ourip1]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [ourip2]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [ourip3]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [ourip5]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [ourip4]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -s [ourip1]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s [ourip3]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -s [mailserverip]/32 -p tcp -j ACCEPT
-A INPUT -s [ourip1]/32 -p tcp -m state --state NEW -m tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT
-A INPUT -s [ourip3]/32 -p tcp -m state --state NEW -m tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT
-A INPUT -s 206.51.26.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 193.109.81.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 204.187.87.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 206.53.144.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 216.9.240.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 67.223.64.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 93.186.16.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 68.171.224.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 74.82.64.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 173.247.32.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 178.239.80.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.149.148.0/23 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.149.151.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.168.204.0/22 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 5.100.168.0/21 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 131.117.168.0/21 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 103.246.200.0/22 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 93.186.25.33/32 -d [mailserverip]/32 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
COMMIT
# Completed on Mon May  7 12:24:47 2018
# Generated by iptables-save v1.4.7 on Mon May  7 12:24:47 2018
*nat
:PREROUTING ACCEPT [1168:66518]
:POSTROUTING ACCEPT [15603:1183134]
:OUTPUT ACCEPT [15603:1183134]
COMMIT
# Completed on Mon May  7 12:24:47 2018
# Generated by iptables-save v1.4.7 on Mon May  7 12:24:47 2018
*mangle
:PREROUTING ACCEPT [189501:347063157]
:INPUT ACCEPT [189501:347063157]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [181007:352586132]
:POSTROUTING ACCEPT [181019:352589133]
COMMIT
# Completed on Mon May  7 12:24:47 2018


User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Strange slowness problem with iptables

Post by TrevorH » 2018/05/07 11:49:03

-A INPUT -s [mailserverip]/32 -d 151.99.125.2/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 8.8.8.8/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 151.99.0.100/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 1.1.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s [mailserverip]/32 -d 1.0.0.1/32 -p udp -m udp --dport 53 -j ACCEPT
Those are all useless and should be deleted. They all say if the packet's source address is my mailserver and the destination is [one of those] and the destination is UDP port 53 then accept it. But this is the INPUT chain so there will never be any packets on that chain going in that direction.
-A INPUT -s 151.99.125.2/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -s 8.8.8.8/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -s 151.99.0.100/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -s 1.1.1.1/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -s 1.0.0.1/32 -d [mailserverip]/32 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
Likewise, these are all also useless. They all say if there is a packet coming from [your list of dns servers] and the source port is UDP 53 and the destination is your mailserver on a transient port then accept them. The only reason for having those rules is to accept packets in reply to DNS queries that you have sent but those will already have been accepted by the top rule in your set - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
Are you running your own DNS server? If not then these are useless as they're used to allow access to your nameserver from outside. And if you are running your own DNS server then why all those other useless rules above?

If your DNS servers are external then when you query them, it will be allowed out as you have no OUTPUT rules at all and your OUTPUT policy is ACCEPT. That means all packets outbound from your server are allowed and any replies to those packets will also be allowed back by virtue of the RELATED,ESTABLISHED rule at the top. You do not need individual rules to allow the replies, it's already done.
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 443 -j ACCEPT
These are only useful if you have an http/https server on your machine.
-A INPUT -s [ourip1]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -s [ourip3]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 1024:65535 -j ACCEPT
-A INPUT -s [mailserverip]/32 -p tcp -j ACCEPT
No idea what these are meant to do but they don't make much sense.
-A INPUT -s 206.51.26.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 193.109.81.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 204.187.87.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 206.53.144.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 216.9.240.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 67.223.64.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 93.186.16.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 68.171.224.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 74.82.64.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 173.247.32.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 178.239.80.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.149.148.0/23 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.149.151.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.168.204.0/22 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 5.100.168.0/21 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 131.117.168.0/21 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 103.246.200.0/22 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 93.186.25.33/32 -d [mailserverip]/32 -j ACCEPT
You're unconditionally accepting any and all packets from those ip addresses. Some of them appear to belong to Blackberry, others have no data in whois to determine who they are but you obviously trust them a lot because they can access any of your network services at will.

I'd go through all your rules and check to see what they are doing and why they are there. Most of them look like junk to me. Simplify those and then see if things are better. You should not need any rules to allow DNS queries to take place from your server to an external one - packets going outbound are allowed as you have no OUTPUT rules and any replies to those will be allowed by the RELATED,ESTABLISHED rule at the top of the INPUT chain. You do not need explicit rules for each dns ip to allow the return packets.

If you're in doubt as to whether a rule is used, run iptables --nvL --lin and that will show you packet and byte counts on each rule to show how many times they've been matched. Rules with 0 usage have not been used since iptables was started up and are probably good candidates for review/deletion.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

niente0
Posts: 5
Joined: 2018/05/07 10:46:26

Re: Strange slowness problem with iptables

Post by niente0 » 2018/05/07 13:35:45

Thank you for your analysis of rules!! I commented all the unnecessary ones.
I kept 80 and 443 rules because I have webmail on my server. I also have a local DNS on it.
Sadly, the problem of slowness still persists if I remove the "accept all" rule.
I'm currently allowing all connections to server to make the email service work (I know it's dangerous but my company can't live without it).

I enabled iptables log, and I found a bunch of these lines in /var/messages:

Code: Select all

May  7 14:55:59 Xxxxxxxx kernel: INPUT-DROPPED IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47457 DF PROTO=TCP SPT=41768 DPT=53 WINDOW=65495 RES=0x00 SYN URGP=0
May  7 14:55:59 Xxxxxxxx kernel: INPUT-DROPPED IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=45320 DF PROTO=TCP SPT=59986 DPT=8891 WINDOW=65495 RES=0x00 SYN URGP=0
May  7 14:56:01 Xxxxxxxx kernel: INPUT-DROPPED IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47458 DF PROTO=TCP SPT=41768 DPT=53 WINDOW=65495 RES=0x00 SYN URGP=0
May  7 14:56:01 Xxxxxxxx kernel: INPUT-DROPPED IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10525 DF PROTO=TCP SPT=59984 DPT=8891 WINDOW=65495 RES=0x00 SYN URGP=0
May  7 14:56:05 Xxxxxxxx kernel: INPUT-DROPPED IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47459 DF PROTO=TCP SPT=41768 DPT=53 WINDOW=65495 RES=0x00 SYN URGP=0
May  7 14:56:05 Xxxxxxxx kernel: INPUT-DROPPED IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57597 DF PROTO=TCP SPT=59988 DPT=8891 WINDOW=65495 RES=0x00 SYN URGP=0
8891 seems to be an OpenDKIM port, do I have to open it?
Thanks

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Strange slowness problem with iptables

Post by TrevorH » 2018/05/07 13:56:37

I think you are missing

iptables -I INPUT 2 -i lo -j ACCEPT
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

niente0
Posts: 5
Joined: 2018/05/07 10:46:26

Re: Strange slowness problem with iptables

Post by niente0 » 2018/05/09 09:50:44

Hello and thanks for support.
I added the missing loopback rule to my firewall. The slowness problem still persists, so the firewall is currently disabled :? .
Do you have any other advice for finding the source of this problem? What else could I try to diagnose my mailserver?
Thanks

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Strange slowness problem with iptables

Post by TrevorH » 2018/05/10 01:28:55

Post the current rules in iptables-save format
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Strange slowness problem with iptables

Post by Whoever » 2018/05/10 03:23:30

niente0 wrote:Hello and thanks for support.
I added the missing loopback rule to my firewall. The slowness problem still persists, so the firewall is currently disabled :? .
Do you have any other advice for finding the source of this problem? What else could I try to diagnose my mailserver?
Thanks

What nameservers do you have configured and are they all working?

niente0
Posts: 5
Joined: 2018/05/07 10:46:26

Re: Strange slowness problem with iptables

Post by niente0 » 2018/05/10 09:33:43

Hello, I use the following nameservers: 1.1.1.1 and 1.0.0.1.
Anyway, it seems that now the problem is solved!! I restarted the whole mailserver a couple of times and now it seems to work without slowing down.
I'm not sure about what the problem was, anyway after modifying the firewall as suggested and doing some reboots it runs at full speed!
Now I'll do the same for my other mailserver, that shows the same problem.

Thank you for your kind help, much appreciated ;)

Here's my latest iptables (for reference):

Code: Select all

# Generated by iptables-save v1.4.7 on Mon May  7 16:02:53 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [384:216164]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s [ourip1]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s [ourip2]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s [ourip1]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [ourip3]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [ourip2]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [ourip4]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s [ourip5]/32 -d [mailserverip]/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -d [mailserverip]/32 -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s [ourip1]/32 -p tcp -m state --state NEW -m tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT
-A INPUT -s [ourip2]/32 -p tcp -m state --state NEW -m tcp -m multiport --dports 5901:5903,6001:6003 -j ACCEPT
-A INPUT -s 206.51.26.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 193.109.81.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 204.187.87.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 206.53.144.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 216.9.240.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 67.223.64.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 93.186.16.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 68.171.224.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 74.82.64.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 173.247.32.0/19 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 178.239.80.0/20 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.149.148.0/23 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.149.151.0/24 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 180.168.204.0/22 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 5.100.168.0/21 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 131.117.168.0/21 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 103.246.200.0/22 -d [mailserverip]/32 -j ACCEPT
-A INPUT -s 93.186.25.33/32 -d [mailserverip]/32 -j ACCEPT
-A INPUT -p tcp -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
COMMIT
# Completed on Mon May  7 16:02:53 2018
# Generated by iptables-save v1.4.7 on Mon May  7 16:02:53 2018
*nat
:PREROUTING ACCEPT [1284:74835]
:POSTROUTING ACCEPT [5909:444048]
:OUTPUT ACCEPT [5909:444048]
COMMIT
# Completed on Mon May  7 16:02:53 2018
# Generated by iptables-save v1.4.7 on Mon May  7 16:02:53 2018
*mangle
:PREROUTING ACCEPT [121982:159518285]
:INPUT ACCEPT [121982:159518285]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [112034:203851903]
:POSTROUTING ACCEPT [112034:203851903]
COMMIT
# Completed on Mon May  7 16:02:53 2018

Post Reply