[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] IPTABLES Command slows down the machine

To: "Mark Perry" <PERRY@xxxxxxxxxx>
Subject: RE: [suse-security] IPTABLES Command slows down the machine
From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
Date: Fri, 25 Jul 2003 15:25:43 +0200
Cc: <suse-security@xxxxxxxx>
Delivered-to: mailing list suse-security@xxxxxxxx
Delivery-date: Fri, 25 Jul 2003 15:26:27 +0200
Envelope-to: suse@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
List-help: <mailto:suse-security-help@suse.com>
List-post: <mailto:suse-security@suse.com>
List-subscribe: <mailto:suse-security-subscribe@suse.com>
List-unsubscribe: <mailto:suse-security-unsubscribe-suse=archive.cert.uni-stuttgart.de@suse.com>
Mailing-list: contact suse-security-help@xxxxxxxx; run by ezmlm
Thread-index: AcNSq8KCKzxylt8XQO+FRjjkfXYGIwAAHFRQ
Thread-topic: [suse-security] IPTABLES Command slows down the machine

Hmmm... Things seems to be stable now.

I need to thank all the people out there who have contributed with a lot
of helpful hints and tips.

Also, I think i learned my lesson today. I have been designing the rules
on a completely wrong assumption. What I did not quite understand, until
few minutes ago, was how the IPTABLES work. Then I came to think of
this: when an FTP client initiates a passive session it will only talk
to the firewall because it will most probably not know the real IP of
the destination. Only in my "little" world, i do know it. So this got me
thinking... When I only "talk" to the firewall, it's by definition a
INPUT rule which leads to some processing before it eventually goes to
the OUTPUT chain an then eventually leaves the firewall.

All the time, i designed FORWARD chains.... Oh well, crash course linux
... A newbies life is not easy, and TGIF...

Cheers and have a nice week end all
Knut Erik

-----Original Message-----
From: Mark Perry [mailto:PERRY@xxxxxxxxxx] 
Sent: Friday, July 25, 2003 2:53 PM
To: Knut Erik Hauslo
Subject: RE: [suse-security] IPTABLES Command slows down the machine



Best would be to add some logging. Add  something similar to these
statements to the end of your script:

   iptables --append INPUT \
      --jump LOG \
      --log-level info \
      --log-prefix "iptables t=INPUT:"

   iptables --append OUTPUT \
      --jump LOG \
      --log-level info \
      --log-prefix "iptables t=OUTPUT:"

   iptables --append FORWARD \
      --jump LOG \
      --log-level info \
      --log-prefix "iptables t=FORWARD:"

Providing you don't have any DROP rules before these statements then
anything about to reach the default DROP policy will get LOG'ed.

Then depending how your /etc/syslog.conf has been setup you  will see
these logged messages probably in /var/log/messages.

NOTE: the above can be much more sophisticated, but a basic log will be
better than none ;-)

All the Best / Mit Freundlichen Gruessen
Mark G. Perry

IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
Schoenaicher Strasse 220, 71032 Boeblingen, Germany
Email/Sametime: perry@xxxxxxxxxx
Office Tel: (+49)-7031-16-3626

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

Prev by Date: RE: [suse-security] IPTABLES Command slows down the machine
Next by Date: [suse-security] SuSEfirewall2 & MS/VPN
Previous by thread: RE: [suse-security] IPTABLES Command slows down the machine
Next by thread: [suse-security] SuSEfirewall2 & MS/VPN
Index(es):
- Date
- Thread