slow response when using iptables

Support for security such as Firewalls and securing linux
Post Reply
ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

slow response when using iptables

Post by ixeous » 2007/01/12 21:15:10

I'm having an odd issue on a web server when I filter traffic with iptables. If I try to connect to the machine via http or ssh, it times out. It will connect after retrying several times. I enabled logging (debug level) and duplicated the problem, but nothing shows up in the logs that indicate a problem to me. If I disable iptables (service iptables off), the problem goes away. I did find a post that suggested the problem may be identd and to add a line to OUTPUT to reject any traffic on port 113, but the log does not show that it's trying to do that. Below are my iptables rules and log results for INPUT and OUTPUT when the problem occurs. Does anybody have any ideas? TIA

BTW - I have had this occur from multiple external networks and even within the same subnet as the server


# iptables -nL

Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
ACCEPT tcp -- 127.0.0.1 127.0.0.1 tcp dpt:3306
ACCEPT tcp -- 127.0.0.1 127.0.0.1 tcp dpt:25

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7




[log results for INPUT]

IN=eth0 OUT= MAC=[MAC ADDRESS] SRC=[external IP] DST=[server IP] LEN=48 TOS=0x10 PREC=0x20 TTL=113 ID=4572 DF PROTO=TCP SPT=30456 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0



[log results for OUTPUT]

IN= OUT=eth0 SRC=[server IP] DST=[external IP] LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=30456 WINDOW=5840 RES=0x00 ACK SYN URGP=0

IN= OUT=eth0 SRC=[server IP] DST=[external IP] LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=30456 WINDOW=5840 RES=0x00 ACK SYN URGP=0

IN= OUT=eth0 SRC=[server IP] DST=[external IP] LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=30456 WINDOW=5840 RES=0x00 ACK SYN URGP=0

IN= OUT=eth0 SRC=[server IP] DST=[external IP] LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=30456 WINDOW=5840 RES=0x00 ACK SYN URGP=0

NedSlider
Forum Moderator
Posts: 2890
Joined: 2005/10/28 13:11:50
Location: UK

Re: slow response when using iptables

Post by NedSlider » 2007/01/13 20:42:34

Not sure if this is specifically your problem, but try opening up the localhost loopback interface:

[code]iptables -A INPUT -i lo -j ACCEPT[/code]

I see no reason to filter localhost and doing so can cause strange problems.

ixeous
Posts: 113
Joined: 2005/07/07 13:01:59

Re: slow response when using iptables

Post by ixeous » 2007/01/16 02:26:40

I've opened up everything on the localhost, but no change.

NedSlider
Forum Moderator
Posts: 2890
Joined: 2005/10/28 13:11:50
Location: UK

Re: slow response when using iptables

Post by NedSlider » 2007/01/16 20:33:14

[quote]
ixeous wrote:
I've opened up everything on the localhost, but no change.[/quote]

For all protocols, not just TCP?

SSH should certainly work with nothing other than port 22 open to tcp connections.

Any other security measures in place - TCP wrappers, SELinux??

Can you port scan ports 22 and 80 from a remote machine?

How about trying a packet capture as you try to connect to see if that gives you any clues.

pjwelsh
Posts: 2598
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: slow response when using iptables

Post by pjwelsh » 2007/01/16 20:44:53

I suck at iptables! Many others are MUCH better. I would suggest something like "MonMotha's IPTABLES Firewall" script from:
http://monmotha.mplug.org/firewall/
or something like:
"Arno's IPTABLES Firewall Script" from:
http://rocky.eld.leidenuniv.nl/
or search for "iptables gui" on fresheat.net or sourceforge.com if your gui inclined.

Post Reply

Return to “CentOS 4 - Security Support”