Your list generation is probably slowing down, trying to resolve the IPs to names.
Try "iptables -L -n" and see if that helps. On Tue, 25 Jun 2002, Josep M. wrote: > Hello. > > I installed rh7.2 and iptables,I never used iptables before and I had done my script >for one machine only > and when i execute "iptables -L" is terrible slow,maybe one line per minute for >list all rules > in a pII350 with 320RAM and more of 180 RAM free and only me as terminal user,no X >loaded!! > > I would like know is this is usual,ipchains was very quickly listing rules!! > > I have all packages updated till yesterday. > > Josep > > PS: this is the script,i planned add nat in some days,so is usual if You see >forwarding rules enabled. > > > # > ###!###/###bin/sh > # > # Falta SSL POP3S > # > # > # Load the ip_tables module > echo Loading ip_tables module. > ###/sbin/modprobe ip_tables || exit 1 > /sbin/depmod -a > /sbin/modprobe ip_tables > /sbin/modprobe ip_conntrack > /sbin/modprobe ipt_LOG > /sbin/modprobe ipt_REJECT > /sbin/modprobe ipt_MASQUERADE > /sbin/modprobe ip_nat_ftp > /sbin/modprobe ip_nat_irc > /sbin/modprobe ipt_owner > /sbin/modprobe ip_conntrack_ftp > /sbin/modprobe ip_conntrack_irc > # I let the kernel dynamically load the other modules > IPTABLES="/sbin/iptables" > #Time to clean house > #Clear out any existing firewall rules, and any chains that might have > #been created > $IPTABLES -F > $IPTABLES -F INPUT > $IPTABLES -F OUTPUT > $IPTABLES -F FORWARD > $IPTABLES -F -t mangle > $IPTABLES -F -t nat > $IPTABLES -X > #Setup our policies > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P FORWARD DROP > #$IPTABLES -P FORWARD ACCEPT > #This enables ip forwarding, and thus by extension, NAT > #Turn this on if you're going to be doing NAT or Masquerading > #echo 1 > /proc/sys/net/ipv4/ip_forward > > #We use the limit commands to cap the rate at which it alerts to 15 > #log messages per minute > $IPTABLES -N firewall > $IPTABLES -A firewall -m limit --limit 15/minute -j LOG --log-prefix FIREWALL-BLOCK: > $IPTABLES -A firewall -j DROP > #Now, our dropwall chain, for the final catchall filter > $IPTABLES -N dropwall > $IPTABLES -A dropwall -m limit --limit 15/minute -j LOG --log-prefix FIREWALL-DROP: > $IPTABLES -A dropwall -j DROP > #Our "hey, them's some bad tcp flags!" chain > $IPTABLES -N badflags > $IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix >FIREWALL-BADFLAGS: > $IPTABLES -A badflags -j DROP > #And our silent logging chain > $IPTABLES -N silent > $IPTABLES -A silent -j DROP > # Create a table for watching some accepting rules > $IPTABLES --new watch 2>/dev/null > $IPTABLES -A watch -m limit --limit 1/second -j LOG --log-level warn --log-prefix >FIREWALL-ICMP-WATCH: > $IPTABLES -A watch -j ACCEPT > #Accept ourselves (loopback interface), 'cause we're all warm and friendly > $IPTABLES -A INPUT -i lo -j ACCEPT > ************ this example sucks. need to add rules to flush and clear chains first > # > # These rules block a number of reserved networks. > # For example 10.* is used for non routable internal networks > # For example 224.* and up is used for multi-cast > # We use drop since these networks are not active and the response > # will go nowhere > # > $IPTABLES -A INPUT -s 0.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 1.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 2.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 5.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 7.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 10.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 23.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 27.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 31.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 36.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 39.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 41.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 42.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 58.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 60.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 68.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 72.0.0.0/248.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 82.0.0.0/254.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 84.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 88.0.0.0/248.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 96.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 197.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 219.0.0.0/255.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 220.0.0.0/252.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > $IPTABLES -A INPUT -s 224.0.0.0/224.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DROP > # > ## Special chain KEEP_STATE to handle incoming, outgoing, and > ## established connections. > $IPTABLES -N KEEP_STATE > $IPTABLES -F KEEP_STATE > > ## DROP packets associated with an "INVALID" connection. > $IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP > # > # > ## UNCLEAN match target, somewhat experimental at this point. > # $IPTABLES -A KEEP_STATE -m unclean -j DROP > # > # ACCEPT packets which are related to an established connection. > $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT > # > #Closed Ports.We donīt want people from outside in our machine:) > # > #Samba use this ports. > $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 137:139 -j DROP > $IPTABLES -A INPUT -i eth0 -d 0/0 -p udp --dport 137:139 -j DROP > > #Drop those nasty packets! > #These are all TCP flag combinations that should never, ever occur in the > #wild. All of these are illegal combinations that are used to attack a box > #in various ways, so we just drop them and log them here. > $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags > $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags > $IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags > $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags > $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags > $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags > > #echo Enforcing up ICMP policies, use iptables -L ICMP to check. > # If you deny all ICMP messages you head for trouble since it would > # break lots of tcp/ip algorythm (acz) > $IPTABLES --new ICMP 2>/dev/null > $IPTABLES -A INPUT --proto icmp -j ICMP > # This rule, suposedly, would log Ping of Death > $IPTABLES -A INPUT -p icmp -f -j LOG --log-prefix "PINGOFD: " > #ICMP Type 0 - Echo Reply > $IPTABLES -A ICMP -p icmp --icmp-type 0 -j ACCEPT > #ICMP Type 3 - Destination Unreachable > $IPTABLES -A ICMP -p icmp --icmp-type 3 -j watch > #ICMP Type 8 - Echo Request > $IPTABLES -A ICMP -p icmp --icmp-type 8 -j watch > #ICMP Type 11 - Time Exceeded > $IPTABLES -A ICMP -p icmp --icmp-type 11 -j ACCEPT > $IPTABLES -A ICMP -p icmp -j firewall > > #Accept FTP connections from everywhere. > #Uncomment this if you're running FTP Server and want to be able to > #access it from the outside world. > # > $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 21 -j ACCEPT > > #Accept SSH connections from everywhere. > #Uncomment this if you're running SSH Server and want to be able to > #access it from the outside world. > # > $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT > #Accept Telnet connections from everywhere. > #Uncomment this if you're running TelnetServer and want to be able to > #access it from the outside world. > # > $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 23 -j ACCEPT > > #Accept SMTP connections from everywhere. > #Uncomment this if you're running SMTP Email Server and want to be able > #to access it from the outside world. > # > $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT > #Accept POP3 connections from everywhere. > #Uncomment this if you're running POP3 Email Server and want to be able > #to access it from the outside world. > # > $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 110 -j ACCEPT > #Accept DNS connections from everywhere. > #Uncomment this if you're running DNS and want to be able to access it > #from the outside world. > # > $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 53 -j ACCEPT > $IPTABLES -A INPUT -i eth0 -d 0/0 -p udp --dport 53 -j ACCEPT > #Accept Web connections from everywhere. > #Uncomment this if you're running Web Server and want to be able > #to access it from the outside world. > # > $IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT > > ## AUTH server > # Reject ident probes with a tcp reset.I need to do this for a broken mailhost > # that won't accept my mail if I just drop its ident probe. > #$IPTABLES -A INPUT -i eth0 -p tcp --dport 113 -j REJECT --reject-with tcp-reset > > #Uncomment to drop port 137 netbios packets silently. We don't like > #that netbios stuff, and it's way too spammy with windows machines on > #the network. > # > #$IPTABLES -A INPUT -i eth0 -p udp --sport 137 --dport 137 -j silent > # Now we block all incoming traffic to ports between 1 and 59999. For your system > # to behave it is suggested you modify ip_local_port_range in /proc > # > $IPTABLES -A INPUT -s 0/0 -d 0/0 -i eth0 -p tcp -m tcp --dport 1:59999 -j REJECT > $IPTABLES -A INPUT -s 0/0 -d 0/0 -i eth0 -p udp -m udp --dport 1:59999 -j REJECT > # > > #Our final trap. Everything on INPUT goes to the dropwall so we don't get silent >drops > $IPTABLES -A INPUT -j dropwall > > > # Disable IP spoofing attacks. > # > # This drops traffic addressed for one network though it is being received on a > # different interface. > # > echo " - Disabling IP Spoofing attacks." > for file in /proc/sys/net/ipv4/conf/*/rp_filter > do > echo "2" > $file > done > # Comment the following out of you are not using a dynamic address > # > echo " - Enabling dynamic TCP/IP address hacking." > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > # Enable TCP SYN Cookie protection: > # > echo " - Enable TCP SYN Cookie protection" > echo "1" > /proc/sys/net/ipv4/tcp_syncookies > # Ensure that various ICMP sanity settings are there > # > echo " - Enable ICMP sanity settings" > > # Disable ICMP broadcast echo protection > echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > # Enable bad error message protection > echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses > > # Disable ICMP Re-directs > for file in /proc/sys/net/ipv4/conf/*/accept_redirects; do > echo "0" > $file > done > # > > > > > _______________________________________________ > Redhat-list mailing list > [EMAIL PROTECTED] > https://listman.redhat.com/mailman/listinfo/redhat-list > _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
