iptables slows down access to httpd server
John Summerfield
debian at herakles.homelinux.org
Thu Nov 1 23:56:59 UTC 2007
Steve Lindemann wrote:
> This, strictly speaking, isn't a Fedora problem, but I'm hoping someone
> out there can help.
>
> system config:
> dell poweredge 2950
> kernel: 2.6.22.9-61.fc6
> apache: 2.2.6
>
> problem summary: when iptables is turned on, web pages (graphics in
> particular) served up from the box are *extremely* slow to load,
> sometimes timing out. when iptables is turned off, web pages served up
> from the box load normally. I've compared my /etc/sysconfig/iptables
> file to another (fc6) server and they are effectively the same, *but*
> I've never had a problem with page loads from the other box.
>
> I'm assuming (yes, I know 8^) that the problem lies with iptables, but
> I'm running out of places to look for answers. Should I be looking
> somewhere other than the firewall? Has anyone else seen this? I'd
> really appreciate any help anyone out there could give.
>
> ((beware of line wrapping))
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
> ...ok I did manually edit the file to add the http rule, but up until
> now I've not had any problems doing that sort of thing. Iptables does
> drive me just a bit crazy, but I do know enough to to that successfully
> (up until now that is). Help! ...and thanks!
Do you need to open domain?
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
Please do not reply off-list
More information about the fedora-list
mailing list