Re: avoiding iptables slow down?
From: Alexander Clouter (alex_at_digriz.junk-this.org.uk)
Date: 11/27/04
- Next message: Alexander Clouter: "Re: Kornet's Last Hack"
- Previous message: jayjwa: "Re: Unix NOT secure against Viruses on home PCs"
- In reply to: Eric Peterson: "avoiding iptables slow down?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Nov 2004 18:18:15 -0000
On 2004-11-24, Eric Peterson <lastname_nospam@heritage.nv.gov> wrote:
> Opposit of the poster before me, I'm trying to block all ip addresses except
> a small range (make the computer accessible only to others within my
> particular office). I've set a number of allowed IPs (iptables -A INPUT -s
> x.x.x.x -j ACCEPT). When I then reject or drop all others, computer access
> becomes excruciatingly slow. I've tried both "iptables -A INPUT -j REJECT"
> and "iptables -P INPUT DROP", both with the same results.
>
> running iptables -L takes nearly a minute for output to display
>
Well you are blocking even the reverse DNS lookups that 'iptables' will make
to match the addresses it lists against. If you use 'iptables -nL' you
should find things much faster as it skips the DNS lookup. All this really
is in the manpage.
You should also consider a couple of things with your approach:
1) using IP based ACL's on a LAN is easily overcome if you simply change the
client IP on the local net. This also does not protect from various
spoofing methods. I'm unsure what your box does but client side SSL
certificates might be a much better approach. If thats not an option
then just usersnames/passwords over SSL
2) you should run 'ethereal' on your server to see what traffic actually
goes to and from the machine as there obviously is lots of other
things you are missing
3) you should whitelist the server to talk to things, obviously in this case
your local DNS server would be a good start :P
> I found from some postings that adding -n speeds up the listing, so the
> problem seems to be with reverse lookup (?)
>
As mentioned above.
> Logging in via ftp or ssh can take more than a minute and there is of course
> no -n option for speeding it up. Each change of directories in ftp takes a
> similarly long time.
>
Same again, you could bypass this if you configure /etc/hosts.deny to
'ALL:NONE' and also ssh/ftp to not do reverse DNS lookups; however obviously
you might not want to do this for various reasons. I would probably opt for
slipping in a rule that permits DNS lookups by the server.
> Oddly, web pages are served up quickly (via apache).
>
probably reverse DNS lookups are disabled by default for you which is really
what you want on a webserver.
Regards
Alex
> What can I do to speed things up? (still a bit of a newbie)
> Thanks!
>
>
- Next message: Alexander Clouter: "Re: Kornet's Last Hack"
- Previous message: jayjwa: "Re: Unix NOT secure against Viruses on home PCs"
- In reply to: Eric Peterson: "avoiding iptables slow down?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
