internet lenta com iptables [RESOLVIDO]

felixdinizz
(usa Ubuntu)

Enviado em 14/04/2014 - 17:14h

Configurei o squid3 e e iptables na empresa mas a internet esta muito lenta. Com o squid3 ela fica na velocidade ótima mas depois que configurei o iptables a internet fica muito ruim, o que pode ser?

n4t4n
(usa Arch Linux)

Enviado em 14/04/2014 - 18:08h

Posta sua configuração do iptables

felixdinizz
(usa Ubuntu)

Enviado em 15/04/2014 - 08:39h

#!/bin/bash
#Limpando as tabelas
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

#Carregando os modulos
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat

# Politicas padrao
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Compartilha a conexao com a internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#libera pacotes de retorno da internet
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

#Liberando porta http
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

#Liberando porta SQUID
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT

#Liberando a porta https
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

#Liberando a portas POP3 e SMTP
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT

#Liberando a porta SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

#CONECTIVIDADE SOCIAL
iptables -A OUTPUT -p tcp --dport 2631 -j ACCEPT

#Liberando DHCP
iptables -A OUTPUT -p tcp --dport 67 -j ACCEPT

# Liberando acesso remoto no servidor
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3350 -j ACCEPT
iptables -A INPUT -p tcp --dport 5910 -j ACCEPT

#Liberando o DNS
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

felixdinizz
(usa Ubuntu)

Enviado em 23/04/2014 - 10:54h

n4t4n
depois da dica o acesso melhorou não esta tão lenta mais, meu firewall ficou desta forma (se puder sugerir algo mais, agradeço):

#!/bin/bash
#Limpando as tabelas
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

#Carregando os modulos
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat

# Politicas padrao
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Compartilha a conexao com a internet
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Aceita todo o trágo vindo do loopback e indo pro loopback
iptables -A INPUT -i lo -j ACCEPT

# Todo trafego vindo da rede interna tambem e aceito
iptables -A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT

#libera pacotes de retorno da internet
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

#Liberando porta http
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

#Liberando porta SQUID
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 3128 -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 3128 -j ACCEPT

#Liberando a porta https
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

#Liberando a portas POP3 e SMTP
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT

#Liberando a porta SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

#CONECTIVIDADE SOCIAL
iptables -A OUTPUT -p tcp --dport 2631 -j ACCEPT

#Liberando DHCP
iptables -A OUTPUT -p tcp --dport 67 -j ACCEPT

# Liberando acesso interno remoto no servidor
iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
iptables -A INPUT -p tcp --dport 3350 -j ACCEPT
iptables -A INPUT -p tcp --dport 5910 -j ACCEPT

#Liberando o DNS
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT