Thanks for the responses. Regarding the name resolution is it looking for itself, the local machine? The command below "iptables -L-n -V" just lists the version of iptables, nothing else. Doing "iptables -nL" gave a much quicker response.
The main problem is that everything is slow after loading the rules ( examples: webmin, vnc, opening a shell, smtp ) Once I disable the rules the performance picks back up. My intentions are to make this server my SMTP gateway which will be handling thousands of emails on a daily basis and the performance issue after loading iptables is preventing me from deploying this server. Has anyone seen this behavior after enabling iptables?
Jack Bowling <[EMAIL PROTECTED]> wrote:
On Fri, Dec 20, 2002 at 05:59:23AM -0800, lester lasad wrote:
>
> I am running redhat 7.3 everything is working properly until loading the iptables rules. After loading the rules I am taking a big performance hit. It can take anywhere from 10 - 30 seconds for my server to display the results of "iptables -L". This wasn't happening prior to the rules being loaded. Trying to open a shell has the same results as well as many other things.
>
> I am loading the iptables rules from webmin. After disabling the rules using "iptables -P INPUT ACCEPT" and "iptables -F" I no longer have a performance issue. I have included the contents of iptables below.
>
> *filter
> :FORWARD ACCEPT [0:0]
> :INPUT DROP [0:0]
> :Inbound - [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -j Inbound
> -A Inbound -p tcp -m tcp -m state --state ESTABLIS! HED -j ACCEPT
> -A Inbound -p tcp -m tcp -d 10.96.8.96 --dport 22 -j ACCEPT
> -A Inbound -p tcp -m tcp -d 10.96.8.96 --dport 25 -j ACCEPT
> -A Inbound -p tcp -m tcp -d 10.96.8.96 --dport 10000 -j ACCEPT
> -A Inbound -i lo -j ACCEPT
> -A Inbound -p tcp -m tcp -j DROP
> -A Inbound -p udp -m udp -j DROP
> -A Inbound -p icmp -j DROP
> COMMIT
> # Generated by webmin
> *mangle
> :FORWARD ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
> # Completed
> # Generated by webmin
> *nat
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> COMMIT
> # Completed
Please change the first ACCEPT rule to ESTABLISHED, RELATED to enable
one of the finer abilities of netfilter code.
And your problem is undoubtedly name resolution. By making ! your command
"iptables -L-n -v", you will be spared the lo! ng wait.
--
Jack Bowling
mailto: [EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
