Enviado em 14/04/2014 - 17:14h
Configurei o squid3 e e iptables na empresa mas a internet esta muito lenta. Com o squid3 ela fica na velocidade ótima mas depois que configurei o iptables a internet fica muito ruim, o que pode ser?
internet lenta com iptables [RESOLVIDO]
Responder tópico2. Re: internet lenta com iptables [RESOLVIDO]
Melhor resposta
Enviado em 16/04/2014 - 22:04h
A porta do Squid deve ser configurada apenas na Chain INPUT da tabela filter, e não na chain FORWARD. Veja exemplo em: http://www.vivaolinux.com.br/artigo/Squid-+-Iptables-Combinacao-Infalivel/?pagina=2
Sua regra de DNS sobre a rede local (que passa pela FORWARD) não contempla a porta 53 UDP. A regra está duplicada liberando apenas a porta TCP. Além do mais esta regra não é necessária, dado que quem resolverá nomes será o servidor.
Libere a interface de loopback.
Veja em detalhes: http://www.guiafoca.org/cgs/guia/avancado/ch-fw-iptables.html
3. Re: internet lenta com iptables [RESOLVIDO]
Enviado em 14/04/2014 - 18:08h
Posta sua configuração do iptables
4. Re: internet lenta com iptables [RESOLVIDO]
Enviado em 15/04/2014 - 08:39h
#!/bin/bash
#Limpando as tabelas
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#Carregando os modulos
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
# Politicas padrao
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Compartilha a conexao com a internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#libera pacotes de retorno da internet
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Liberando porta http
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#Liberando porta SQUID
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
#Liberando a porta https
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#Liberando a portas POP3 e SMTP
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
#Liberando a porta SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
#CONECTIVIDADE SOCIAL
iptables -A OUTPUT -p tcp --dport 2631 -j ACCEPT
#Liberando DHCP
iptables -A OUTPUT -p tcp --dport 67 -j ACCEPT
# Liberando acesso remoto no servidor
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3350 -j ACCEPT
iptables -A INPUT -p tcp --dport 5910 -j ACCEPT
#Liberando o DNS
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
#Limpando as tabelas
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#Carregando os modulos
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
# Politicas padrao
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Compartilha a conexao com a internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#libera pacotes de retorno da internet
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Liberando porta http
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#Liberando porta SQUID
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
#Liberando a porta https
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#Liberando a portas POP3 e SMTP
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
#Liberando a porta SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
#CONECTIVIDADE SOCIAL
iptables -A OUTPUT -p tcp --dport 2631 -j ACCEPT
#Liberando DHCP
iptables -A OUTPUT -p tcp --dport 67 -j ACCEPT
# Liberando acesso remoto no servidor
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3350 -j ACCEPT
iptables -A INPUT -p tcp --dport 5910 -j ACCEPT
#Liberando o DNS
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
5. Re: internet lenta com iptables [RESOLVIDO]
Enviado em 23/04/2014 - 10:54h
n4t4n
depois da dica o acesso melhorou não esta tão lenta mais, meu firewall ficou desta forma (se puder sugerir algo mais, agradeço):
#!/bin/bash
#Limpando as tabelas
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#Carregando os modulos
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
# Politicas padrao
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Compartilha a conexao com a internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Aceita todo o trágo vindo do loopback e indo pro loopback
iptables -A INPUT -i lo -j ACCEPT
# Todo trafego vindo da rede interna tambem e aceito
iptables -A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
#libera pacotes de retorno da internet
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Liberando porta http
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#Liberando porta SQUID
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
#Liberando a porta https
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#Liberando a portas POP3 e SMTP
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
#Liberando a porta SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
#CONECTIVIDADE SOCIAL
iptables -A OUTPUT -p tcp --dport 2631 -j ACCEPT
#Liberando DHCP
iptables -A OUTPUT -p tcp --dport 67 -j ACCEPT
# Liberando acesso interno remoto no servidor
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3350 -j ACCEPT
iptables -A INPUT -p tcp --dport 5910 -j ACCEPT
#Liberando o DNS
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
depois da dica o acesso melhorou não esta tão lenta mais, meu firewall ficou desta forma (se puder sugerir algo mais, agradeço):
#!/bin/bash
#Limpando as tabelas
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
#Carregando os modulos
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
# Politicas padrao
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Compartilha a conexao com a internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Aceita todo o trágo vindo do loopback e indo pro loopback
iptables -A INPUT -i lo -j ACCEPT
# Todo trafego vindo da rede interna tambem e aceito
iptables -A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
#libera pacotes de retorno da internet
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Liberando porta http
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
#Liberando porta SQUID
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT
#Liberando a porta https
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
#Liberando a portas POP3 e SMTP
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
#Liberando a porta SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
#CONECTIVIDADE SOCIAL
iptables -A OUTPUT -p tcp --dport 2631 -j ACCEPT
#Liberando DHCP
iptables -A OUTPUT -p tcp --dport 67 -j ACCEPT
# Liberando acesso interno remoto no servidor
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3350 -j ACCEPT
iptables -A INPUT -p tcp --dport 5910 -j ACCEPT
#Liberando o DNS
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
Responder tópico
Entre na sua conta para responder.