I made the attached iptables script about a month or two ago. I haven't had ANY trouble with it at all.
About a week ago, web pages on our development server started loading Very slowly. Most of the time, it would load completely after about 3 minutes (I'm connection from the LAN). Maybe about 30% of the time it will load only about 50% of the page.. ie: all code is there, but only half the images where displayed.
After extensively trouble shooting apache, I determined that there was nothing wrong with it. For sh*ts and giigles I stopped my firewall.. Right away the page started loading instantly again.
Can anyone see what is wrong with my script?
Any idea why it used to work, but now stopped?
#!/bin/sh
#### Remember, this is a FIRST RULE MATCH, NOT last rule matched.
IPTABLES=/sbin/iptables LAN="10.0.0.0/24" SERVER_PREFIX="10.0.0." SERVERS="2 200 221 225 226 230 250" ATT="www.xxx.yyy.zzz" WORLD="0.0.0.0/0"
################################################################### # Set some kern params. Enable () { for file in $@; do echo 1> $file; done } Disable () { for file in $@; do echo 0> $file; done } # disable a few things. Disable /proc/sys/net/ipv4/tcp_sack Disable /proc/sys/net/ipv4/ip_forward Disable /proc/sys/net/ipv4/tcp_timestamps Disable /proc/sys/net/ipv4/conf/*/accept_source_route Disable /proc/sys/net/ipv4/conf/*/accept_redirects Disable /proc/sys/net/ipv4/conf/*/send_redirects # enable a few things. Enable /proc/sys/net/ipv4/tcp_syncookies Enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts Enable /proc/sys/net/ipv4/conf/*/rp_filter Enable /proc/sys/net/ipv4/conf/*/log_martians
function on {
################################################################## ## Clear the firewall. And prepare some tables, default to drop #echo "section 1" $IPTABLES -F $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP
$IPTABLES -N FIRE-IN $IPTABLES -N FIRE-OUT $IPTABLES -N SYN-FLOOD $IPTABLES -N PACKETS
# Any one who has full access #$IPTABLES -A INPUT -s 10.0.0.3 -j ACCEPT #$IPTABLES -A OUTPUT -s 10.0.0.3 -j ACCEPT $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -s 127.0.0.1 -j ACCEPT
# Set the order of where our packets are going. $IPTABLES -A INPUT -j FIRE-IN $IPTABLES -A OUTPUT -j FIRE-OUT $IPTABLES -A INPUT -j SYN-FLOOD $IPTABLES -A INPUT -j PACKETS
################################################################### ## Allow localhost to do whatever it wants #echo "section 2" $IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT ## but blcok spoofed attempts $IPTABLES -A FIRE-IN -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed lo interface: " $IPTABLES -A FIRE-IN -s 127.0.0.0/8 -j DROP $IPTABLES -A FIRE-IN -d 127.0.0.0/8 -j LOG --log-prefix "Spoofed lo interface: " $IPTABLES -A FIRE-IN -d 127.0.0.0/8 -j DROP
################################################################## # Ensure that TCP connections start with syn packets #echo "section 3" $IPTABLES -A PACKETS -p tcp -m tcp ! --syn -m state --state NEW -j DROP # Drop un-identified packets $IPTABLES -A PACKETS -m state --state INVALID -j DROP # Drop invalid packets $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags ACK,FIN FIN -j REJECT $IPTABLES -A PACKETS -p tcp -m tcp --tcp-flags ACK,URG URG -j REJECT
################################################################## # Reject big broadcasts #echo "section 4" $IPTABLES -A FIRE-IN -d 224.0.0.0 -j REJECT
################################################################## # allow connections out. -- keep state #echo "section 5" $IPTABLES -A FIRE-IN -p tcp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FIRE-OUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FIRE-IN -p udp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FIRE-OUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT # allow icmp out. and anything out back in $IPTABLES -A FIRE-IN -p icmp -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A FIRE-OUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT # Let people ping us, but rate limit it $IPTABLES -A FIRE-IN -p icmp -m state --state NEW,ESTABLISHED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# Block Syn Flood attacks $IPTABLES -A FIRE-IN -p tcp -m tcp --syn -j SYN-FLOOD
# Allow session continuation traffic $IPTABLES -A FIRE-IN -m state --state RELATED,ESTABLISHED -j ACCEPT
#################### SYN FLOOD # Block Syn Flood attacks $IPTABLES -A FIRE-IN -p tcp -m tcp --syn -j SYN-FLOOD $IPTABLES -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN #$IPTABLES -A SYN-FLOOD -j LOG --log-prefix "SYN-FLOOD: " $IPTABLES -A SYN-FLOOD -j REJECT
####################################################################################################33 echo "section 6" #### Services for LAN $IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 22 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 25 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 80 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 110 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 139 -j ACCEPT # netbios-dgm 138/tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 143 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 161 -j ACCEPT # netbios-dgm 161/tcp/udp $IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 443 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 465 -j ACCEPT # smtp -ssl #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 636 -j ACCEPT # lsap ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 993 -j ACCEPT # imap ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 995 -j ACCEPT # pop3 ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 1241 -j ACCEPT # nessus #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 1512 -j ACCEPT # MS WINS #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 2401 -j ACCEPT # CVS #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 3306 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 3308 -j ACCEPT # ssh tunnel from db1 #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 8100 -j ACCEPT # old webmail #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $LAN --dport 8443 -j ACCEPT #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 137:138 -j ACCEPT # NETBIOS #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --sport 137:138 -j ACCEPT #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 161:162 -j ACCEPT #snmp:snmptrap #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 541 -j ACCEPT ## ????? #$IPTABLES -A FIRE-IN -p udp -m udp -s $LAN --dport 1512 -j ACCEPT
#### Services for SERVERS for i in $SERVERS do $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 22 -j ACCEPT # $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 25 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p udp -m udp -s $SERVER_PREFIX$i --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 80 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 443 -j ACCEPT # $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 199 -j ACCEPT # smux # $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 636 -j ACCEPT # ldap ssl tcp/udp # $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 2401 -j ACCEPT # CVS #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 3306 -j ACCEPT # $IPTABLES -A FIRE-IN -p udp -m udp -s $SERVER_PREFIX$i --dport 161:162 -j ACCEPT #snmp:snmptrap # $IPTABLES -A FIRE-IN -p udp -m udp -s $SERVER_PREFIX$i --dport 541 -j ACCEPT ## ????? $IPTABLES -A FIRE-IN -p tcp -m tcp -s $SERVER_PREFIX$i --dport 20031:20032 -j ACCEPT # Netvault done
#### Services for everyone
#$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 25 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 53 -j ACCEPT #$IPTABLES -A FIRE-IN -p udp -m udp -s $WORLD --dport 53 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 80 -j ACCEPT $IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 443 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 110 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 143 -j ACCEPT #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 465 -j ACCEPT # smtp -ssl #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 993 -j ACCEPT # imap ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 995 -j ACCEPT # pop3 ssl tcp/udp #$IPTABLES -A FIRE-IN -p tcp -m tcp -s $WORLD --dport 8443 -j ACCEPT
echo "Done."
} # end of firewall
########################################################################
function off { # stop firewall echo "Firewall: disabling filtering (allowing all access)" $IPTABLES -F $IPTABLES -X $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT } ###################################################################### function stop { # stop all external connections echo "Firewall: stopping all external connections" $IPTABLES -F $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD REJECT $IPTABLES -P OUTPUT REJECT
# allow anything over loopback $IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT }
case "$1" in start) on ;; stop) off ;; stop-ext) stop ;; *) echo "$0 {start|stop|stop-ext}" echo "start enables the firewall." echo "stop disables the firewall" echo "stop-ext disables all external connections" ;; esac
$IPTABLES -L