Fwd: Re: IP Tables slows network response times
rob0 at gmx.co.uk
Mon Aug 15 15:13:07 CEST 2005
On Monday 2005-August-15 06:32, Michael Hallager wrote:
> AS FOLLOWS: (Opps. my mistake!)
Another mistake is that the script ("batch") in the OP would not have
generated these rules. Having referred back to that I see you're using
the netfilter drivers built-in rather than as modules. A *big* mistake.
What is the benefit you expected to see from that choice?
Learn to walk before you try to run. "I have the bare number of needed
modules compiled into the custom kernel," you said. But do you know
what are really needed? I doubt it.
> root at 202-150-101-225:/home/michael# iptables-save
> # Generated by iptables-save v1.3.3 on Mon Aug 15 23:29:05 2005
You (was it you?) compiled in mangle support; you're not using it.
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [24885:3543903]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -d 220.127.116.11 -p tcp -m tcp --dport 22 -j ACCEPT
The destination IP addresses were not in the script posted.
> -A INPUT -d 18.104.22.168 -p tcp -m layer7 --l7proto smtp -m tcp
> --dport 25 -j ACCEPT
layer7 was DEFINITELY not mentioned. Is this not only available as a
patch? From an unpatched slackware-current install:
# iptables -vA INPUT -m layer7 -l7proto smtp
iptables v1.3.3: Couldn't load match
`layer7':/usr/lib/iptables/libipt_layer7.so: cannot open shared object
file: No such file or directory
Did you not configure this machine yourself? If you did, why did you
choose layer7 filtering? And why would you not have considered that a
relevant fact in posting your question? Either you deliberately put us
through a silly guessing game, or you have no idea what you are doing
with your kernel.
Why do we see so many posters who post before RTFM?
> -A INPUT -d 22.214.171.124 -p tcp -m layer7 --l7proto dns -m tcp
> --dport 53 -j ACCEPT
Do you even understand what layer7 filtering does? I don't use it
myself, nor am I likely to do so in the future, but my high-level
understanding is that it inspects the content of each packet against
protocol definitions to see if it matches.
It's a fun idea, but it's ugly and slow in practice. No wonder your
firewall is slowing things down.
In GNU/Linux, things will mostly work as designed. When you start
patching and changing things, be sure you know what you are doing.
In my years of learning and doing I have certainly encountered my fair
share of frustration. But as a rule I've found that by leaving things
alone until I understand them, I am much more successful.
Dx: severe Clue deficiency
Rx: revert to a Slackware kernel/modules
Rx: RTFM: http://netfilter.org/documentation/
Rx: RTFM: http://slackbook.org/html/
Px: GOOD, if Rx followed; POOR otherwise
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter