Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables capping speed?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
god8y
n00b
n00b


Joined: 24 Jun 2003
Posts: 71
PostPosted: Tue Mar 30, 2004 7:52 am    Post subject: iptables capping speed? Reply with quote
Well I have a new server running (temporarily) and when I launch the iptables rules my bandwith drops with like 2/3 so I'm surfing at 1/3th of my down/upstream :(
here are my rules:
Code:

#!/bin/sh
IPTABLES="/sbin/iptables"

#Time to clean house
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

#Setup our policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward

# Actual rules
# NAT stuff

#Source NAT everything heading out the eth0 (external) interface to be the
#given IP. If you have a dynamic ip or a DHCP ip that changes
#semi-regularly, comment this and uncomment the second line
#Remember to change the ip address to your static ip
# $IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#These are port-forwarding examples for several different cases.
#These map the specified ports to the specified ip address.
#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to 127.0.0.1:22
#
#These two redirect a block of ports, in both udp and tcp.
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to 192.168.1.1
#$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to 192.168.1.1


#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP

#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP


#Accept ourselves (loopback interface), 'cause we're all warm and friendly
$IPTABLES -A INPUT -i lo -j ACCEPT

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall

#Opening ports
#this one is for both nic's
$IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
#this one only allows the internal network (eth1)
$IPTABLES -A INPUT -i eth1 -d 10.0.0.0/24 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d 10.0.0.0/24 -p tcp --dport 80 -j ACCEPT

#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
$IPTABLES -A INPUT -j dropwall
Back to top
View user's profile Send private message
god8y
n00b
n00b


Joined: 24 Jun 2003
Posts: 71
PostPosted: Wed Mar 31, 2004 7:22 am    Post subject: Reply with quote
-bump- nobody ever had this problem before or know a solution?
Back to top
View user's profile Send private message
neilhwatson
l33t
l33t


Joined: 06 Feb 2003
Posts: 719
Location: Canada
PostPosted: Wed Mar 31, 2004 2:16 pm    Post subject: Reply with quote
Iptables is well proven technology. I have no doubt that you are having problems but, I think it is unlikely that Iptables is to blame. Having said that there are a few odd rules in your script:

Why do you have rules to drop packets (your last rules about port 137)? Your policies should take care of this. Also, your dropwall chain. The rules seem to add too much complication. Ideally I think they should work more like this:

Set INPUT policy to drop.
Set INPUT rules on what to allow.
Set INPUT rules to log dropped packets.

That's it. When a packet reaches the end of the chain it will be logged and then dropped in accordance with the drop policy. No need to jumping back and forth to custom chains.
_________________
The true guru is a teacher.
Neil Watson
Back to top
View user's profile Send private message
god8y
n00b
n00b


Joined: 24 Jun 2003
Posts: 71
PostPosted: Wed Mar 31, 2004 5:35 pm    Post subject: Reply with quote
well if i only use:
Code:

#!/bin/sh
IPTABLES="/sbin/iptables"

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$IPTABLES -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -d 10.0.0.0/24 -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Then i'm not aible to resolve dns names, meaning i can't really surf, i then tried opening port 53 for my dns server but that didn't work out either. Guess I need a better manual or tutorial for iptables that's not so hard to understand? (since i keep doing it wrong)
Back to top
View user's profile Send private message
neilhwatson
l33t
l33t


Joined: 06 Feb 2003
Posts: 719
Location: Canada
PostPosted: Wed Mar 31, 2004 5:51 pm    Post subject: Reply with quote
There are some firewall applications in gentoo that may be useful for learning. Search the forums.
_________________
The true guru is a teacher.
Neil Watson
Back to top
View user's profile Send private message
neilhwatson
l33t
l33t


Joined: 06 Feb 2003
Posts: 719
Location: Canada
PostPosted: Wed Mar 31, 2004 5:53 pm    Post subject: Reply with quote
If you give us a description of your topology (network layout) we may be able to offer more useful solutions.
_________________
The true guru is a teacher.
Neil Watson
Back to top
View user's profile Send private message
god8y
n00b
n00b


Joined: 24 Jun 2003
Posts: 71
PostPosted: Wed Mar 31, 2004 7:22 pm    Post subject: Reply with quote
well, my internal lan is in the 10.0.0.x range, the mainserver (router) runs squid + squidguard, bind and ssh. I just want to go out and surf on the net like i did these days before the old server died. I only need ssh to be allowed on the outside of the lan, nothing else.
Oh and I've tried, monmotha and shorewall monmotha works, but very slow and shorewall gives me the same error like the one i get now (couldn't resolve blablabla).
Back to top
View user's profile Send private message
neilhwatson
l33t
l33t


Joined: 06 Feb 2003
Posts: 719
Location: Canada
PostPosted: Wed Mar 31, 2004 7:53 pm    Post subject: Reply with quote
Add a some logging rules at the end of each chain. You can use the logs to discover what packets are being dropped.
_________________
The true guru is a teacher.
Neil Watson
Back to top
View user's profile Send private message
god8y
n00b
n00b


Joined: 24 Jun 2003
Posts: 71
PostPosted: Sat Apr 03, 2004 2:35 pm    Post subject: Reply with quote
I've been trying out to enable logging on the rules but I can't figure it out though maybe some help will be appreciated.
Back to top
View user's profile Send private message
neilhwatson
l33t
l33t


Joined: 06 Feb 2003
Posts: 719
Location: Canada
PostPosted: Sat Apr 03, 2004 3:44 pm    Post subject: Reply with quote
Post a small portion of the log and explain what you attempted.
_________________
The true guru is a teacher.
Neil Watson
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy