Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th June 2006, 23:38
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default IPtables slowing down my SSH login!?

I'm at the moment doing some testing with IPtables on a test server running Debian Sarge 3.1

For some reason when I add IPtables the login for my SSH gets really slow!
After entering the login name, it takes about 5 to 10 seconds for the password question!

The strange thing is that when I flush the iptables, login is like normal again (fast)

I do not mind waiting 10 seconds, but what I do not know is if this is the only thing beeing slower...

This is what I'm using as IPtables: (I'm using SSH on the 10.0.0.247 IP)

Quote:
-A INPUT -d 127.0.0.1 -s 127.0.0.1 -j ACCEPT

-A INPUT -d 10.0.0.244 -p icmp -j ACCEPT
-A INPUT -d 10.0.0.245 -p icmp -j ACCEPT
-A INPUT -d 10.0.0.246 -p icmp -j ACCEPT
-A INPUT -d 10.0.0.247 -p icmp -j ACCEPT

-A INPUT -d 10.0.0.244 -p tcp --dport 80 -j ACCEPT
-A INPUT -d 10.0.0.244 -p tcp --dport 81 -j ACCEPT
-A INPUT -d 10.0.0.244 -p tcp --dport 443 -j ACCEPT
-A INPUT -d 10.0.0.244 -p tcp --dport 8080 -j ACCEPT
-A INPUT -d 10.0.0.244 -p tcp --dport 10000 -j ACCEPT

-A INPUT -d 10.0.0.245 -p tcp --dport 25 -j ACCEPT
-A INPUT -d 10.0.0.245 -p tcp --dport 53 -j ACCEPT
-A INPUT -d 10.0.0.245 -p udp --dport 53 -j ACCEPT

-A INPUT -d 10.0.0.246 -p tcp --dport 53 -j ACCEPT
-A INPUT -d 10.0.0.246 -p udp --dport 53 -j ACCEPT
-A INPUT -d 10.0.0.246 -p tcp --dport 110 -j ACCEPT

-A INPUT -d 10.0.0.247 -p tcp --dport 22 -j ACCEPT
-A INPUT -d 10.0.0.247 -p tcp --dport 20:21 -j ACCEPT
-A INPUT -d 10.0.0.247 -p tcp --dport 30000:50050 -j ACCEPT

-A INPUT -d 10.0.0.244 -j REJECT
-A INPUT -d 10.0.0.245 -j REJECT
-A INPUT -d 10.0.0.246 -j REJECT
-A INPUT -d 10.0.0.247 -j REJECT

-A INPUT -j REJECT
-A FORWARD -j REJECT
Reply With Quote
Sponsored Links
  #2  
Old 29th June 2006, 23:56
platd platd is offline
Member
 
Join Date: Apr 2006
Posts: 34
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Is it a dns thing ?
Reply With Quote
  #3  
Old 29th June 2006, 23:57
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default

Hmm I thought that I found the problem, but no....

I've just tested it on my "real" server, but it's slow as hell as soon as I start using IPtables.
I guess that it's got something todo with DNS lookups....

So for me the ALL:NONE in the /etc/host.deny file does not work.... Server is still slow when FTP'ing, SSH'ing and using Postfix (email)

Any suggestions?

Last edited by edge; 30th June 2006 at 01:54.
Reply With Quote
  #4  
Old 30th June 2006, 16:23
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default

Okay.. I've flushed the iptables again, and remade them with the Firewall option in WebMin. (Webmin > Networking > Linux Firewall)

All open ports are now pointing to the correct IP's, and the system is like normal :-)

For all people who have a slow SSH login and / or FTP (and yes even Email login), have a look at your IPtables! If there is a misstake in it, this can cause the slowdown!

Now my next problem... Interupts and context switches.. They are going crazy on the server here!
Reply With Quote
  #5  
Old 30th June 2006, 23:50
platd platd is offline
Member
 
Join Date: Apr 2006
Posts: 34
Thanks: 0
Thanked 0 Times in 0 Posts
Default

can you not turn off sshd doing a reverse look up by
UseDNS no etc ?
Reply With Quote
  #6  
Old 1st July 2006, 00:29
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default

Yes I think it can, but it was not only SSH that was slow!
FTP and email (POP3/SMTP) verification was also really slow (I guess this can also be set to off)

It was for sure the reverse DNS that I was blocking with the 1st iptables rule set that I made..

But now with the new one all is working fine, and I did not need to dissable the reverse lookup part anywhere!
Reply With Quote
  #7  
Old 4th July 2006, 12:33
IPMolester IPMolester is offline
Junior Member
 
Join Date: Jul 2006
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Improve logging

You could improve logging to get a better idea on what IPTables are doing.

So instead of doing a -j REJECT, you could create a dedicated chain for logging the packet before you reject it. Then replace "-j REJECT" by "-j LDROP"

This is from my iptables script, I do drop some packets without logging them since there are simply to many of them.
Quote:
iptables -N LDROP
iptables -A LDROP -p tcp -i eth1 --dport 135 -j DROP
iptables -A LDROP -p tcp -i eth1 --dport 139 -j DROP
iptables -A LDROP -p udp -i eth1 --dport 137 -j DROP
iptables -A LDROP -p tcp -i eth1 --dport 445 -j DROP
iptables -A LDROP --proto tcp -j LOG --log-prefix "TCP Drop "
iptables -A LDROP --proto udp -j LOG --log-prefix "UDP Drop "
iptables -A LDROP --proto icmp -j LOG --log-prefix "ICMP Drop "
iptables -A LDROP --proto gre -j LOG --log-prefix "GRE Drop "
iptables -A LDROP -f -j LOG --log-prefix "FRAG Drop "
iptables -A LDROP -j DROP
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
The Perfect Xen 3.0 Setup For Debian | IPTABLES rocket30 HOWTO-Related Questions 7 25th July 2006 15:18
Problem with POP3 Login masterkain Installation/Configuration 6 15th January 2006 19:11
authdaemon LOGIN: REJECT dgradzik Tips/Tricks/Mods 2 22nd September 2005 01:09
authdaemon LOGIN: REJECT dgradzik Installation/Configuration 2 21st September 2005 19:03
Total Frustration-HELP palkat Installation/Configuration 17 3rd September 2005 18:28


All times are GMT +2. The time now is 22:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.