服务器 Gind.cn
  1. 服务器 Gind.cn
  3. iptables减慢连接
Intereting Posts
如何监视运行Linux的Azure虚拟机? 在linux中进行stream量整形:ssh vs sshfs Windows 7模拟损坏的configuration文件 个人网站配额和MOSS ovirt vdsm vlan – 不能创build虚拟局域网唯一的端口 mod_ssl:SSL握手被系统中断(系统错误如下) 负载平衡UDP服务器 VIP不会从备份keepalived下降 Windows Server 2003 DNS服务器计时 Nginx的:如何重写传递给index.php的参数? 安全和不安全的dynamic更新 SQL Server 2008login问题 从VPN连接的机器的DNSparsing 任何人都知道在哪里可以findNetgear产品的Visio模具? 什么时候笔记本电脑最便宜?

iptables减慢连接

当我为服务器启用iptables(v4 / v6)时,每个连接如ssh,imap,smtp,http,https等都会变慢,所以如果我尝试连接到ssh,则会花费30(!)秒。

imap服务dovecot有同样的问题。 build立规则。

我没有看到什么问题? 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 407K 138M ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68 7259 943K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 344K 55M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 1382 81884 ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:25 8 472 ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:587 212 12472 ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:143 514 27852 ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:80 3707 211K ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:443 17658 1043K ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:22 123 4932 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW,RELATED,ESTABLISHED 3949 276K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 4939 packets, 629K bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 156K 20M ACCEPT all lo * ::/0 ::/0 66440 5314K ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED 2 160 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:25 1 72 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:587 22159 1773K ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:143 14 1056 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:80 144 11108 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:443 3 212 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:22 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 state NEW,RELATED,ESTABLISHED 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129 state NEW,RELATED,ESTABLISHED 435 31296 REJECT all * * ::/0 ::/0 reject-with icmp6-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1349 packets, 137K bytes) pkts bytes target prot opt in out source destination

使用DROP或REJECT不会影响这个。 如果我冲洗规则,万物就像一个魅力。

作为@MadHatter评论说,允许build立连接的DNS很重要: 

 iptables -I INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT ip6tables -I INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT