IPtables slowing down my SSH login!?

Discussion in 'Server Operation' started by edge, Jun 29, 2006.

  1. edge

    edge Active Member Moderator

    I'm at the moment doing some testing with IPtables on a test server running Debian Sarge 3.1

    For some reason when I add IPtables the login for my SSH gets really slow!
    After entering the login name, it takes about 5 to 10 seconds for the password question!

    The strange thing is that when I flush the iptables, login is like normal again (fast)

    I do not mind waiting 10 seconds, but what I do not know is if this is the only thing beeing slower...

    This is what I'm using as IPtables: (I'm using SSH on the IP)

  2. platd

    platd New Member

    Is it a dns thing ?
  3. edge

    edge Active Member Moderator

    Hmm I thought that I found the problem, but no....

    I've just tested it on my "real" server, but it's slow as hell as soon as I start using IPtables.
    I guess that it's got something todo with DNS lookups....

    So for me the ALL:NONE in the /etc/host.deny file does not work.... Server is still slow when FTP'ing, SSH'ing and using Postfix (email)

    Any suggestions?
    Last edited: Jun 30, 2006
  4. edge

    edge Active Member Moderator

    Okay.. I've flushed the iptables again, and remade them with the Firewall option in WebMin. (Webmin > Networking > Linux Firewall)

    All open ports are now pointing to the correct IP's, and the system is like normal :)

    For all people who have a slow SSH login and / or FTP (and yes even Email login), have a look at your IPtables! If there is a misstake in it, this can cause the slowdown!

    Now my next problem... Interupts and context switches.. They are going crazy on the server here!
  5. platd

    platd New Member

    can you not turn off sshd doing a reverse look up by
    UseDNS no etc ?
  6. edge

    edge Active Member Moderator

    Yes I think it can, but it was not only SSH that was slow!
    FTP and email (POP3/SMTP) verification was also really slow (I guess this can also be set to off)

    It was for sure the reverse DNS that I was blocking with the 1st iptables rule set that I made..

    But now with the new one all is working fine, and I did not need to dissable the reverse lookup part anywhere!
  7. IPMolester

    IPMolester New Member

    Improve logging

    You could improve logging to get a better idea on what IPTables are doing.

    So instead of doing a -j REJECT, you could create a dedicated chain for logging the packet before you reject it. Then replace "-j REJECT" by "-j LDROP"

    This is from my iptables script, I do drop some packets without logging them since there are simply to many of them.
  8. edge

    edge Active Member Moderator

    Yes that does look good!

    I'll give it a go with my next install :)

    This is what I have now, and it's working great! (for sure it can have some more tweaking)

    (1) I have 4 IP's, and only ports open on the IP's that I want
    (2) The IP's have been changed to protect the innocent
    (3) IP:* is only open for port 80, 81, 443, 8080 and 10000
    (4) IP:* is only open for port 25 and 53 (UDP/TCP)
    (5) IP:* is only open for port 53 (UDP/TCP) and 110
    (6) IP:* is only open for port 20, 21 22 and 30000 till 40000
    * see point 2

    -A INPUT -p tcp -m tcp -d ! -i lo -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth+ -j PUB_IN
    -A OUTPUT -o eth+ -j PUB_OUT
    -A INT_IN -p icmp -j ACCEPT
    -A INT_IN -j DROP
    -A INT_OUT -p icmp -j ACCEPT
    -A PUB_IN -p icmp -d -j ACCEPT
    -A PUB_IN -p tcp -m tcp -d --dport 80 -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 81 -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 443 -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 8080 -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 10000 -j PAROLE
    -A PUB_IN -p icmp -d -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 25 -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 53 -j PAROLE
    -A PUB_IN -p udp -m udp -d --dport 53 -j PAROLE
    -A PUB_IN -p icmp -d -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 53 -j PAROLE
    -A PUB_IN -p udp -m udp -d --dport 53 -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 110 -j PAROLE
    -A PUB_IN -p icmp -d -j  DROP
    -A PUB_IN -p tcp -m tcp -d --dport 20:21 -j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 22-j PAROLE
    -A PUB_IN -p tcp -m tcp -d --dport 30000:40000 -j PAROLE
    -A PUB_IN -j LOG
    -A PUB_IN -p icmp -j DROP
    -A PUB_IN -j DROP
    -A INPUT -j DROP

Share This Page