HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   IPtables slowing down my SSH login!? (http://www.howtoforge.com/forums/showthread.php?t=5246)

edge 29th June 2006 22:38
IPtables slowing down my SSH login!?
 
I'm at the moment doing some testing with IPtables on a test server running Debian Sarge 3.1

For some reason when I add IPtables the login for my SSH gets really slow!
After entering the login name, it takes about 5 to 10 seconds for the password question!

The strange thing is that when I flush the iptables, login is like normal again (fast)

I do not mind waiting 10 seconds, but what I do not know is if this is the only thing beeing slower...

This is what I'm using as IPtables: (I'm using SSH on the 10.0.0.247 IP)

Quote:
-A INPUT -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT

-A INPUT -d 10.0.0.244 -p icmp -j ACCEPT
-A INPUT -d 10.0.0.245 -p icmp -j ACCEPT
-A INPUT -d 10.0.0.246 -p icmp -j ACCEPT
-A INPUT -d 10.0.0.247 -p icmp -j ACCEPT

-A INPUT -d 10.0.0.244 -p tcp --dport 80 -j ACCEPT
-A INPUT -d 10.0.0.244 -p tcp --dport 81 -j ACCEPT
-A INPUT -d 10.0.0.244 -p tcp --dport 443 -j ACCEPT
-A INPUT -d 10.0.0.244 -p tcp --dport 8080 -j ACCEPT
-A INPUT -d 10.0.0.244 -p tcp --dport 10000 -j ACCEPT

-A INPUT -d 10.0.0.245 -p tcp --dport 25 -j ACCEPT
-A INPUT -d 10.0.0.245 -p tcp --dport 53 -j ACCEPT
-A INPUT -d 10.0.0.245 -p udp --dport 53 -j ACCEPT

-A INPUT -d 10.0.0.246 -p tcp --dport 53 -j ACCEPT
-A INPUT -d 10.0.0.246 -p udp --dport 53 -j ACCEPT
-A INPUT -d 10.0.0.246 -p tcp --dport 110 -j ACCEPT

-A INPUT -d 10.0.0.247 -p tcp --dport 22 -j ACCEPT
-A INPUT -d 10.0.0.247 -p tcp --dport 20:21 -j ACCEPT
-A INPUT -d 10.0.0.247 -p tcp --dport 30000:50050 -j ACCEPT

-A INPUT -d 10.0.0.244 -j REJECT
-A INPUT -d 10.0.0.245 -j REJECT
-A INPUT -d 10.0.0.246 -j REJECT
-A INPUT -d 10.0.0.247 -j REJECT

-A INPUT -j REJECT
-A FORWARD -j REJECT

platd 29th June 2006 22:56
Is it a dns thing ?

edge 29th June 2006 22:57
Hmm I thought that I found the problem, but no....

I've just tested it on my "real" server, but it's slow as hell as soon as I start using IPtables.
I guess that it's got something todo with DNS lookups....

So for me the ALL:NONE in the /etc/host.deny file does not work.... Server is still slow when FTP'ing, SSH'ing and using Postfix (email)

Any suggestions?

edge 30th June 2006 15:23
Okay.. I've flushed the iptables again, and remade them with the Firewall option in WebMin. (Webmin > Networking > Linux Firewall)

All open ports are now pointing to the correct IP's, and the system is like normal :-)

For all people who have a slow SSH login and / or FTP (and yes even Email login), have a look at your IPtables! If there is a misstake in it, this can cause the slowdown!

Now my next problem... Interupts and context switches.. They are going crazy on the server here!

platd 30th June 2006 22:50
can you not turn off sshd doing a reverse look up by
UseDNS no etc ?

edge 30th June 2006 23:29
Yes I think it can, but it was not only SSH that was slow!
FTP and email (POP3/SMTP) verification was also really slow (I guess this can also be set to off)

It was for sure the reverse DNS that I was blocking with the 1st iptables rule set that I made..

But now with the new one all is working fine, and I did not need to dissable the reverse lookup part anywhere!

IPMolester 4th July 2006 11:33
Improve logging
 
You could improve logging to get a better idea on what IPTables are doing.

So instead of doing a -j REJECT, you could create a dedicated chain for logging the packet before you reject it. Then replace "-j REJECT" by "-j LDROP"

This is from my iptables script, I do drop some packets without logging them since there are simply to many of them.
Quote:
iptables -N LDROP
iptables -A LDROP -p tcp -i eth1 --dport 135 -j DROP
iptables -A LDROP -p tcp -i eth1 --dport 139 -j DROP
iptables -A LDROP -p udp -i eth1 --dport 137 -j DROP
iptables -A LDROP -p tcp -i eth1 --dport 445 -j DROP
iptables -A LDROP --proto tcp -j LOG --log-prefix "TCP Drop "
iptables -A LDROP --proto udp -j LOG --log-prefix "UDP Drop "
iptables -A LDROP --proto icmp -j LOG --log-prefix "ICMP Drop "
iptables -A LDROP --proto gre -j LOG --log-prefix "GRE Drop "
iptables -A LDROP -f -j LOG --log-prefix "FRAG Drop "
iptables -A LDROP -j DROP

edge 4th July 2006 13:56
Quote:
Originally Posted by IPMolester
You could improve logging to get a better idea on what IPTables are doing.

So instead of doing a -j REJECT, you could create a dedicated chain for logging the packet before you reject it. Then replace "-j REJECT" by "-j LDROP".....
Yes that does look good!

I'll give it a go with my next install :-)

This is what I have now, and it's working great! (for sure it can have some more tweaking)

(1) I have 4 IP's, and only ports open on the IP's that I want
(2) The IP's have been changed to protect the innocent
(3) IP: 71.161.100.344* is only open for port 80, 81, 443, 8080 and 10000
(4) IP: 71.161.100.345* is only open for port 25 and 53 (UDP/TCP)
(5) IP: 71.161.100.346* is only open for port 53 (UDP/TCP) and 110
(6) IP: 71.161.100.347* is only open for port 20, 21 22 and 30000 till 40000
* see point 2

Code:
-A INPUT -p tcp -m tcp -d 127.0.0.0/255.0.0.0 ! -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j PUB_IN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -o eth+ -j PUB_OUT
-A INT_IN -p icmp -j ACCEPT
-A INT_IN -j DROP
-A INT_OUT -p icmp -j ACCEPT
-A INT_OUT -j ACCEPT
-A PAROLE -j ACCEPT
-A PUB_OUT -j ACCEPT
-A PUB_IN -p icmp -d 71.161.100.344 -j ACCEPT
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 80 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 81 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 443 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 8080 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.344 --dport 10000 -j PAROLE
-A PUB_IN -p icmp -d 71.161.100.345 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.345 --dport 25 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.345 --dport 53 -j PAROLE
-A PUB_IN -p udp -m udp -d 71.161.100.345 --dport 53 -j PAROLE
-A PUB_IN -p icmp -d 71.161.100.346 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.346 --dport 53 -j PAROLE
-A PUB_IN -p udp -m udp -d 71.161.100.346 --dport 53 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.346 --dport 110 -j PAROLE
-A PUB_IN -p icmp -d 71.161.100.347 -j  DROP
-A PUB_IN -p tcp -m tcp -d 71.161.100.347 --dport 20:21 -j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.347 --dport 22-j PAROLE
-A PUB_IN -p tcp -m tcp -d 71.161.100.347 --dport 30000:40000 -j PAROLE
-A PUB_IN -j LOG
-A PUB_IN -p icmp -j DROP
-A PUB_IN -j DROP
-A INPUT -j DROP


All times are GMT +2. The time now is 18:50.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.