iptables slows down access to httpd server

Tony Nelson tonynelson at georgeanelson.com
Thu Nov 1 19:30:32 UTC 2007

At 9:31 AM -0600 11/1/07, Steve Lindemann wrote:
>This, strictly speaking, isn't a Fedora problem, but I'm hoping someone
>out there can help.
>system config:
>dell poweredge 2950
>apache: 2.2.6
>problem summary:  when iptables is turned on, web pages (graphics in
>particular) served up from the box are *extremely* slow to load,
>sometimes timing out.  when iptables is turned off, web pages served up
>from the box load normally.  I've compared my /etc/sysconfig/iptables
>file to another (fc6) server and they are effectively the same, *but*
>I've never had a problem with page loads from the other box.
>I'm assuming (yes, I know 8^) that the problem lies with iptables, but
>I'm running out of places to look for answers.  Should I be looking
>somewhere other than the firewall?  Has anyone else seen this?  I'd
>really appreciate any help anyone out there could give.
>((beware of line wrapping))
># Firewall configuration written by system-config-securitylevel
># Manual customization of this file is not recommended.
>:RH-Firewall-1-INPUT - [0:0]
>-A INPUT -j RH-Firewall-1-INPUT
>-A FORWARD -j RH-Firewall-1-INPUT
>-A RH-Firewall-1-INPUT -i lo -j ACCEPT
>-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
>-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
>-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
>-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
>-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
>-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
>-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>...ok I did manually edit the file to add the http rule, but up until
>now I've not had any problems doing that sort of thing.  Iptables does
>drive me just a bit crazy, but I do know enough to to that successfully
>(up until now that is).  Help!  ...and thanks!

Use `iptables -L` to see what the rules really are.  `iptables -vL` with
counts.  `iptables -vnL` for numbers instead of names.

Use `iptables -vL` before and after trying to get an uncached web page.
See which counts went up.

If that doesn't do it, use tcpdump and look for ports that you didn't open.
TonyN.:'                       <mailto:tonynelson at georgeanelson.com>
      '                              <http://www.georgeanelson.com/>

More information about the fedora-list mailing list