Re: avoiding iptables slow down?

From: Tim Haynes (usenet-20041124_at_stirfried.vegetable.org.uk)
Date: 11/24/04 

Date: Wed, 24 Nov 2004 19:56:38 +0000

"Eric Peterson" <lastname_nospam@heritage.nv.gov> writes:

> Opposit of the poster before me, I'm trying to block all ip addresses
> except a small range (make the computer accessible only to others within
> my particular office). I've set a number of allowed IPs (iptables -A
> INPUT -s x.x.x.x -j ACCEPT). When I then reject or drop all others,
> computer access becomes excruciatingly slow. I've tried both "iptables -A
> INPUT -j REJECT" and "iptables -P INPUT DROP", both with the same
> results.
>
> running iptables -L takes nearly a minute for output to display
>
> I found from some postings that adding -n speeds up the listing, so the
> problem seems to be with reverse lookup (?)

Well, if you've got quite a few rules, and are expecting to do a DNS lookup
for each of them, it'll take a while; if you have a problem whereby DNS
requests are being blocked one way or another, then it'll take maybe a 30s
timeout on each of them. I go with -n, as a rule.

> Logging in via ftp or ssh can take more than a minute and there is of
> course no -n option for speeding it up. Each change of directories in ftp
> takes a similarly long time.
>
> Oddly, web pages are served up quickly (via apache).
>
> What can I do to speed things up? (still a bit of a newbie)

I'd suggest logging all dropped packets, then you can see by tail-ing a
logfile whether there's a trend for certain types of packet to be blocked -
for example, DNS returns from your nameservers.

Beware that you don't descend into ipchains-style hell, btw; use the state
module for all it's worth, it can summarise a ton of other rules very
nicely.

~Tim 

-- 
There's a shrine on the Assynt hillside     |piglet@stirfried.vegetable.org.uk
Made of earth and salt and rain             |http://pig.sty.nu/

Relevant Pages

  • Re: Usage Report show IP addr instead of computer names
    ... I didn't have Reverse Lookup configured for all of my subnets. ... The reverse DNS look-up is only query DNS server, ... Can you see the PTR record for the unresolved IP address, if not, please ... | the reverse lookups at 4:30, will that cause the Usage Report to identify ...
    (microsoft.public.windows.server.sbs)
  • Re: reverse lookup doenst add ips
    ... 200 computers are listed in that domain on my dns. ... the only ip's that get listed in that reverse lookup are my server and a ... This can depend on whether the reverse zone was created correctly, ... An ipconfig /all from two DCs, one of which will be the DHCP server. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS gives UnKnown to nslookup Default Server results
    ... Okay, I'm sort-of blind, but learning quick, when it comes to DNS service ... Is it normal to have only this much under the Reverse Lookup Zones? ... >> Default Server: UnKnown ...
    (microsoft.public.windows.server.dns)
  • Re: Some servvices on my edge box slow to reply
    ... selected hosts and networks and close it to the rest of the Internet. ... Dynamic DNS? ... But doing those things does not require a reverse lookup and sshd does do ...
    (comp.unix.bsd.openbsd.misc)
  • Re: DNS issues, reverse lookup, MX records
    ... Yahoo host your DNS. ... PTR records are added in reverse lookup zones by owner of that IP ... Our website is hosted with Yahoo on a business account. ...
    (microsoft.public.exchange.admin)