IPtables slowing down my proftpd server.
I've been working on a new linux box with proftpd server and im at the point where I need to secure the server.
Iptables is set to block everything incoming and outgoing expect a few services like SSH INPUT, ICMP INPUT & OUTPUT, DNS OUTPUT and FTP INPUT
Here is the rule that seem to be causing problems:
-A INPUT -i eth0 -d 192.168.25.172/255.255.255.255 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
If ip tables tables is off, I get a prompt for a username in less then a second. When ip tables is turned on, it takes a good 5-10 seconds.
I also have 4 stateful rules:
-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
Anyone ever encountered a smilar problem? Anyone has any idea of what can possibly be wrong in this case?
Many thanks! :D
I just found the solution to my problem. I spammed netstats and packet-sniffed myself to finally see that the authentication was tried on port 113 first, then timed out and tried on port 21.
So if anyone is having a similar problem, opening tcp port 113 in iptables worked for me. It might be a different port for other services, its just a matter of finding which one.
Sorry for this late reply, but if you add IdentLookups off within the <Global></Global> option than this will also fix the "slow" login.
I'm not 100% sure, but I used to have this problem also (with my IPtables), and doing the "IdentLookups off" fixed the problem for me.
Thanks a lot, I will try that with the port 113 removed port from iptables and see what happens.
EDIT: Yep, that made it and I prefer that solution too. Thank you very much!
|All times are GMT +2. The time now is 12:39.|
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.