HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   IPtables slowing down my proftpd server. (http://www.howtoforge.com/forums/showthread.php?t=11408)

Tohubohu 15th March 2007 15:14

IPtables slowing down my proftpd server.
 
Hello,

I've been working on a new linux box with proftpd server and im at the point where I need to secure the server.

Iptables is set to block everything incoming and outgoing expect a few services like SSH INPUT, ICMP INPUT & OUTPUT, DNS OUTPUT and FTP INPUT

Here is the rule that seem to be causing problems:

-A INPUT -i eth0 -d 192.168.25.172/255.255.255.255 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT

If ip tables tables is off, I get a prompt for a username in less then a second. When ip tables is turned on, it takes a good 5-10 seconds.

I also have 4 stateful rules:

-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

Anyone ever encountered a smilar problem? Anyone has any idea of what can possibly be wrong in this case?

Many thanks! :D

Tohubohu 15th March 2007 18:14

I just found the solution to my problem. I spammed netstats and packet-sniffed myself to finally see that the authentication was tried on port 113 first, then timed out and tried on port 21.

So if anyone is having a similar problem, opening tcp port 113 in iptables worked for me. It might be a different port for other services, its just a matter of finding which one.

edge 17th March 2007 22:10

Sorry for this late reply, but if you add IdentLookups off within the <Global></Global> option than this will also fix the "slow" login.

I'm not 100% sure, but I used to have this problem also (with my IPtables), and doing the "IdentLookups off" fixed the problem for me.

Tohubohu 19th March 2007 12:47

Thanks a lot, I will try that with the port 113 removed port from iptables and see what happens.

EDIT: Yep, that made it and I prefer that solution too. Thank you very much!


All times are GMT +2. The time now is 12:39.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.