When I have send a request to an application running on a machine which following firewall rules are applied, it waits so long. When I have deactivated the iptables rule, it responses immediately. What makes communication so slow?
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
UPDATED.
ftp -inv <<! > $FTPLOG
open $_FTP_HOST
user $_FTP_USER $_FTP_PASS
mkdir $_FTP_COPY_TO_FOLDER
cd $_FTP_COPY_TO_FOLDER
lcd $BACKUP_SAVE_DIR
bin
put $BACKUP_FILE_NAME
quit
!
here is ftp connection
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
Best Answer
You should remove this rule because it is redundant:
These rules are processed in constant time with no state data and are extremely unlikely to be the problem:
These rules tend to be efficient and are not likely the cause unless you have an extremely large number of open TCP connections:
This rule is the most expensive one you have, due to the logging and more importantly the limit rule:
Try removing the last one and see if performance improves. If it does not, add it back and remove the two state rules to see if performance improves.
However, it depends largely on what you mean by making a request to the application. None of this will apply unless you are making the request via the network, as your rules are all input or forward (though they may be affecting the speed of a query made to the network from that host). Does the operation ever finish?