Fwd: Re: IP Tables slows network response times

/dev/rob0 rob0 at gmx.co.uk
Mon Aug 15 15:13:07 CEST 2005

On Monday 2005-August-15 06:32, Michael Hallager wrote:
> AS FOLLOWS: (Opps. my mistake!)

Another mistake is that the script ("batch") in the OP would not have 
generated these rules. Having referred back to that I see you're using 
the netfilter drivers built-in rather than as modules. A *big* mistake. 
What is the benefit you expected to see from that choice?

Learn to walk before you try to run. "I have the bare number of needed 
modules compiled into the custom kernel," you said. But do you know 
what are really needed? I doubt it.

> root at 202-150-101-225:/home/michael# iptables-save
> # Generated by iptables-save v1.3.3 on Mon Aug 15 23:29:05 2005
> *mangle

You (was it you?) compiled in mangle support; you're not using it.

> *filter
> :INPUT DROP [0:0]
> :OUTPUT ACCEPT [24885:3543903]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -d -p tcp -m tcp --dport 22 -j ACCEPT

The destination IP addresses were not in the script posted.

> -A INPUT -d -p tcp -m layer7 --l7proto smtp -m tcp
> --dport 25 -j ACCEPT

layer7 was DEFINITELY not mentioned. Is this not only available as a 
patch? From an unpatched slackware-current install:
# iptables -vA INPUT -m layer7 -l7proto smtp
iptables v1.3.3: Couldn't load match 
`layer7':/usr/lib/iptables/libipt_layer7.so: cannot open shared object 
file: No such file or directory

Did you not configure this machine yourself? If you did, why did you 
choose layer7 filtering? And why would you not have considered that a 
relevant fact in posting your question? Either you deliberately put us 
through a silly guessing game, or you have no idea what you are doing 
with your kernel.

Why do we see so many posters who post before RTFM?

> -A INPUT -d -p tcp -m layer7 --l7proto dns -m tcp
> --dport 53 -j ACCEPT

Do you even understand what layer7 filtering does? I don't use it 
myself, nor am I likely to do so in the future, but my high-level 
understanding is that it inspects the content of each packet against 
protocol definitions to see if it matches.

It's a fun idea, but it's ugly and slow in practice. No wonder your 
firewall is slowing things down.

In GNU/Linux, things will mostly work as designed. When you start 
patching and changing things, be sure you know what you are doing.

In my years of learning and doing I have certainly encountered my fair 
share of frustration. But as a rule I've found that by leaving things 
alone until I understand them, I am much more successful.

Dx: severe Clue deficiency
Rx: revert to a Slackware kernel/modules
Rx: RTFM: http://netfilter.org/documentation/
Rx: RTFM: http://slackbook.org/html/
Px: GOOD, if Rx followed; POOR otherwise
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

More information about the netfilter mailing list