-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 3 Nov 2002 [EMAIL PROTECTED] wrote:
> I added these iptables rules to my server/gateway but it makes traffic > server go VERY slow eg. mail, POP3, SSH. When I removed them it went > ok. The idea of the following rules is to allow incoming SMTP and HTTP > server tarffic but block every other incoming connection. > > iptables -A INPUT -s 0/0 -p icmp -i eth0 -j DROP Firstly, you don't want to drop all ICMP. This will break Path MTU Discovery, among other things. Path MTU is used by TCP to work out how large a packet it can send over the entire length of the connection without sending one larger than the MTU of a single link. > iptables -A INPUT -s 0/0 -i eth0 -p tcp --dport 80 -j ACCEPT > iptables -A INPUT -s 0/0 -i eth0 -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -s 0/0 -i eth0 -p tcp -j DROP > iptables -A INPUT -s 0/0 -i eth0 -p ! tcp -j DROP Since you're running iptables, you can use the statefull inspection instead of the old semantics on handling "existing" connections, so try the following instead: # Accept all incoming packets which are for (a) established connections # which we either initiated outwards, or were successfully initiated # inwards, (b) related packets to such connections (eg, ICMP for Path MTU # Discovery, ICMP for failed connection attempts, etc..) iptables -A INPUT -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT # New connections should be passed thru the services chain iptables -A INPUT -m state --state NEW -i eth0 -j services # Everything else should be logged and dropped iptables -A INPUT -i eth0 -j logdrop # Sevices chain: what services do we accept connections for to this box iptables -A services -p tcp --dport 80 -j ACCEPT iptables -A services -p tcp --dport 25 -j ACCEPT # Log chain: Log the packet, then drop it iptables -A logdrop -j LOG --log-level warn --log-prefix="[DROP]" iptables -A logdrop -j DROP Now, if you want to allow another serivce you can just add it to the services chain, and all will function. This will work equally well on UDP as it does TCP, with 2.4 you don't have to just open up all your emperhical ports for UDP. So, if you wanted to add a DNS server to the box, you could just do: iptables -A servcices -p udp --dport 53 -j ACCEPT And you're done. - -- "I know of no technological device at this time that would [prevent piracy] and if it did exist, it would only be a matter of days before the [..] manufacturers would have an override piece of equipment on their machine and you would start from ground zero again." -- Jack Valenti, President of the MPAA (1982) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine 1.75-6 iD8DBQE9xEnVT21+qRy4P+QRAg1OAJ0U+4OfFESdfTcXJ8SN8yutW6sVNgCfQeX5 dEHZSyY3z2vevPYQYY6JAu4= =o+Z/ -----END PGP SIGNATURE-----
