* extreme rDNS lag with iptables
@ 2003-11-04 20:27 Ben
2003-11-04 20:39 ` Aldo S. Lagana
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Ben @ 2003-11-04 20:27 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1990 bytes --]
Hello,
I'm new to this list, so forgive me is I seem newbish :-)
The problem I am having that when I turn on iptables, I see rDNS lag to
about 30 seconds. I see this happen with two programs I am using, proftpd
and uwimap. Both work fine with flush tables, but when I run the following
IPTABLES="/sbin/iptables"
#Flush everything, start from scratch
$IPTABLES -F
#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
#Set default OUTPUT policy to ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Open ports for server/services
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 37 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 43 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2082 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2083 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2086 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2087 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2089 -j ACCEPT
I see login request spike from almost instant to upwards of 30 seconds.
This of course causes timeouts with most client software.
Has anyone run into this before? Does anyone know how I might go about
fixing it?
[-- Attachment #2: Type: text/html, Size: 9189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: extreme rDNS lag with iptables
2003-11-04 20:27 extreme rDNS lag with iptables Ben
@ 2003-11-04 20:39 ` Aldo S. Lagana
2003-11-04 20:47 ` Jörg Schütter
2003-11-05 0:41 ` Sven-Haegar Koch
2 siblings, 0 replies; 4+ messages in thread
From: Aldo S. Lagana @ 2003-11-04 20:39 UTC (permalink / raw)
To: 'Ben', netfilter
[-- Attachment #1: Type: text/plain, Size: 2305 bytes --]
I think you may need a FORWARD rule for DNS requests - INPUT and OUTPUT
rules only affect locally generated traffic.
_____
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ben
Sent: Tuesday, November 04, 2003 3:27 PM
To: netfilter@lists.netfilter.org
Hello,
I'm new to this list, so forgive me is I seem newbish :-)
The problem I am having that when I turn on iptables, I see rDNS lag to
about 30 seconds. I see this happen with two programs I am using, proftpd
and uwimap. Both work fine with flush tables, but when I run the following
IPTABLES="/sbin/iptables"
#Flush everything, start from scratch
$IPTABLES -F
#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
#Set default OUTPUT policy to ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Open ports for server/services
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 37 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 43 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 465 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 873 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2082 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2083 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2086 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2087 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 2089 -j ACCEPT
I see login request spike from almost instant to upwards of 30 seconds.
This of course causes timeouts with most client software.
Has anyone run into this before? Does anyone know how I might go about
fixing it?
[-- Attachment #2: Type: text/html, Size: 9836 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: extreme rDNS lag with iptables
2003-11-04 20:27 extreme rDNS lag with iptables Ben
2003-11-04 20:39 ` Aldo S. Lagana
@ 2003-11-04 20:47 ` Jörg Schütter
2003-11-05 0:41 ` Sven-Haegar Koch
2 siblings, 0 replies; 4+ messages in thread
From: Jörg Schütter @ 2003-11-04 20:47 UTC (permalink / raw)
To: netfilter
Hallo Ben,
On Tue, 4 Nov 2003 15:27:04 -0500
"Ben" <nigma@nigma.info> wrote:
> Hello,
>
>
>
> I'm new to this list, so forgive me is I seem newbish :-)
>
>
>
> The problem I am having that when I turn on iptables, I see rDNS lag
> to about 30 seconds. I see this happen with two programs I am using,
> proftpd and uwimap. Both work fine with flush tables, but when I run
> the following
[...]
try to reject ident connections instead of dropping them () which is the
default in your policy.
Jörg
--
Jörg Schütter http://www.lug-untermain.de/
joerg@schuetter.org http://www.schuetter.org/joerg/
ICQ: 298982789 http://mypenguin.bei.t-online.de/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: extreme rDNS lag with iptables
2003-11-04 20:27 extreme rDNS lag with iptables Ben
2003-11-04 20:39 ` Aldo S. Lagana
2003-11-04 20:47 ` Jörg Schütter
@ 2003-11-05 0:41 ` Sven-Haegar Koch
2 siblings, 0 replies; 4+ messages in thread
From: Sven-Haegar Koch @ 2003-11-05 0:41 UTC (permalink / raw)
To: Ben; +Cc: netfilter
On Tue, 4 Nov 2003, Ben wrote:
> The problem I am having that when I turn on iptables, I see rDNS lag to
> about 30 seconds. I see this happen with two programs I am using, proftpd
> and uwimap. Both work fine with flush tables, but when I run the following
[rules removed]
> I see login request spike from almost instant to upwards of 30 seconds.
> This of course causes timeouts with most client software.
>
> Has anyone run into this before? Does anyone know how I might go about
> fixing it?
How about allowing answers for outgoing connections from your box back
in? As your rules are now everything connecting FROM your box is dropped
from your default policy.
Your box does at least outbound dns queries from a random source port, and
most likely ident too (your ftp-daemon or more).
a simple
iptables -A INPUT -m state --state ESTABLISHED,RELATED
should help a lot.
And adding a
iptables -A INPUT -j LOG
as the very last rule helps while debugging, this way you can see what
your default policy drops.
c'ya
sven
--
The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-11-05 0:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-11-04 20:27 extreme rDNS lag with iptables Ben
2003-11-04 20:39 ` Aldo S. Lagana
2003-11-04 20:47 ` Jörg Schütter
2003-11-05 0:41 ` Sven-Haegar Koch
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.