avoiding iptables slow down?

Opposit of the poster before me, I'm trying to block all ip addresses except
a small range (make the computer accessible only to others within my
particular office). I've set a number of allowed IPs (iptables -A INPUT -s
x.x.x.x -j ACCEPT). When I then reject or drop all others, computer access
becomes excruciatingly slow. I've tried both "iptables -A INPUT -j REJECT"
and "iptables -P INPUT DROP", both with the same results.

running iptables -L takes nearly a minute for output to display

I found from some postings that adding -n speeds up the listing, so the
problem seems to be with reverse lookup (?)

Logging in via ftp or ssh can take more than a minute and there is of course
no -n option for speeding it up. Each change of directories in ftp takes a
similarly long time.

Oddly, web pages are served up quickly (via apache).

What can I do to speed things up? (still a bit of a newbie)
Thanks!

Eric Peterson wrote:

> Opposit of the poster before me, I'm trying to block all ip addresses
> except a small range (make the computer accessible only to others within
> my
> particular office). I've set a number of allowed IPs (iptables -A INPUT
> -s
> x.x.x.x -j ACCEPT). When I then reject or drop all others, computer
> access
> becomes excruciatingly slow. I've tried both "iptables -A INPUT -j
> REJECT" and "iptables -P INPUT DROP", both with the same results.


I suggest that you do a tcpdump to see what's actually taking place. When
an operation slows down 'excruciatingly,' usually what's happening is some
kind of timeout ... caused by you having blocked something that was needed
by someone.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQBBpOd5+gVZmutkHqERAqLIAKCDLyF/4b4+5uKOq+T+X7qBDrdKdQCgxr+Y
6pUt9F9t3obL29n5vKMeDXE=
=1Gpp
-----END PGP SIGNATURE-----

"Eric Peterson" <lastname_nospam@heritage.nv.gov> said:
>Opposit of the poster before me, I'm trying to block all ip addresses except
>a small range (make the computer accessible only to others within my
>particular office). I've set a number of allowed IPs (iptables -A INPUT -s
>x.x.x.x -j ACCEPT). When I then reject or drop all others, computer access
>becomes excruciatingly slow. I've tried both "iptables -A INPUT -j REJECT"
>and "iptables -P INPUT DROP", both with the same results.

You might wish to refine your policy a bit. More on this later.

>running iptables -L takes nearly a minute for output to display
>
>I found from some postings that adding -n speeds up the listing, so the
>problem seems to be with reverse lookup (?)

Sounds correct.

>Logging in via ftp or ssh can take more than a minute and there is of course
>no -n option for speeding it up. Each change of directories in ftp takes a
>similarly long time.

A caching nameserver on the local machine might help, but would be the
wrong solution.

>Oddly, web pages are served up quickly (via apache).

Any near-recent apache configuration pretty much turns off the reverse
resolution in the interests of getting a lower server latency.

>What can I do to speed things up? (still a bit of a newbie)

As said, refine your policy. Think of what you actually want to allow,
and what you want to deny.

Let's make a quick draft:
1. you want to allow certain services on your machine to be accessed from
within a certain range of addresses
2. you want to allow your machine to use certain external network
resources (such as DNS)

Now, part one you apparently have in a rather good order, but part two
you've overlooked. Here the 'state' module of iptables comes to your
help.

First, start both INPUT and OUTPUT chains by allowing traffic on related
and established connections (assuming both INPUT and OUTPUT have policy
of DROP):
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Then, list on INPUT those network services you wish to provide from
your machine to the outside world.

Similarly, list on OUTPUT those network services you want to allow to
be used from your machine. F.ex. to allow DNS queries, do:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
(you may further restrict these by only allowing traffic to a limited
set of IP addresses); now, the 'RELATED,ESTABLISHED' rule on the INPUT
chain will handle allowing the return packets from DNS queries. Note;
by now your set-up is so tight that not even 'ping' is allowed; you'll
need to separately allow it, if you wish. Of course, one way is to just
leave everything on OUTPUT allowed -- the key issue is to allow
RELATED,ESTABLISHED on INPUT.

If you're paranoid, you can add some quick sanity checks before the
ESTABLISHED,RELATED line -- f.ex. drop traffic from address ranges
you know to be invalid, etc - but try to keep the amount of the
sanity check rules as low as possible.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

On 2004-11-24, Eric Peterson <lastname_nospam@heritage.nv.gov> wrote:
> Opposit of the poster before me, I'm trying to block all ip addresses except
> a small range (make the computer accessible only to others within my
> particular office). I've set a number of allowed IPs (iptables -A INPUT -s
> x.x.x.x -j ACCEPT). When I then reject or drop all others, computer access
> becomes excruciatingly slow. I've tried both "iptables -A INPUT -j REJECT"
> and "iptables -P INPUT DROP", both with the same results.
>
> running iptables -L takes nearly a minute for output to display
>
Well you are blocking even the reverse DNS lookups that 'iptables' will make
to match the addresses it lists against. If you use 'iptables -nL' you
should find things much faster as it skips the DNS lookup. All this really
is in the manpage.

You should also consider a couple of things with your approach:

1) using IP based ACL's on a LAN is easily overcome if you simply change the
client IP on the local net. This also does not protect from various
spoofing methods. I'm unsure what your box does but client side SSL
certificates might be a much better approach. If thats not an option
then just usersnames/passwords over SSL

2) you should run 'ethereal' on your server to see what traffic actually
goes to and from the machine as there obviously is lots of other
things you are missing

3) you should whitelist the server to talk to things, obviously in this case
your local DNS server would be a good start :P

> I found from some postings that adding -n speeds up the listing, so the
> problem seems to be with reverse lookup (?)
>
As mentioned above.

> Logging in via ftp or ssh can take more than a minute and there is of course
> no -n option for speeding it up. Each change of directories in ftp takes a
> similarly long time.
>
Same again, you could bypass this if you configure /etc/hosts.deny to
'ALL:NONE' and also ssh/ftp to not do reverse DNS lookups; however obviously
you might not want to do this for various reasons. I would probably opt for
slipping in a rule that permits DNS lookups by the server.

> Oddly, web pages are served up quickly (via apache).
>
probably reverse DNS lookups are disabled by default for you which is really
what you want on a webserver.

Regards

Alex

> What can I do to speed things up? (still a bit of a newbie)
> Thanks!
>
>