Arch Linux

luofeiyu

Member

Registered: 2015-11-03

Posts: 29

Why the iptables rules slow down net transposrt speed?

I want to block all http website except  www.sina.com.cn.

dig [url=http://www.sina.com.cn]www.sina.com.cn[/url]
[url=http://www.sina.com.cn]www.sina.com.cn[/url].	3416	IN	CNAME	jupiter.sina.com.cn.
jupiter.sina.com.cn.	30	IN	A	183.232.24.117
jupiter.sina.com.cn.	30	IN	A	183.232.24.115
jupiter.sina.com.cn.	30	IN	A	183.232.24.116
jupiter.sina.com.cn.	30	IN	A	183.232.24.112
jupiter.sina.com.cn.	30	IN	A	183.232.24.114
jupiter.sina.com.cn.	30	IN	A	183.232.24.113
jupiter.sina.com.cn.	30	IN	A	183.232.24.111

Here is my iptables rules configuration to block all other website except www.sina.com.cn

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  183.232.24.117       anywhere             tcp spt:http
ACCEPT     tcp  --  183.232.24.116       anywhere             tcp spt:http
ACCEPT     tcp  --  183.232.24.115       anywhere             tcp spt:http
ACCEPT     tcp  --  183.232.24.114       anywhere             tcp spt:http
ACCEPT     tcp  --  183.232.24.113       anywhere             tcp spt:http
ACCEPT     tcp  --  183.232.24.112       anywhere             tcp spt:http
ACCEPT     tcp  --  183.232.24.111       anywhere             tcp spt:http
DROP       tcp  --  anywhere             anywhere             tcp spt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             183.232.24.117       tcp dpt:http
ACCEPT     tcp  --  anywhere             183.232.24.116       tcp dpt:http
ACCEPT     tcp  --  anywhere             183.232.24.115       tcp dpt:http
ACCEPT     tcp  --  anywhere             183.232.24.114       tcp dpt:http
ACCEPT     tcp  --  anywhere             183.232.24.113       tcp dpt:http
ACCEPT     tcp  --  anywhere             183.232.24.112       tcp dpt:http
ACCEPT     tcp  --  anywhere             183.232.24.111       tcp dpt:http
DROP       tcp  --  anywhere             anywhere             tcp dpt:http

iptables-save > /etc/iptables/rules.v4

Now to test it to input www.sina.com.cn in firefox.

I found that speed to open the website www.sina.com.cn slow down ,very very slow.
Usually it cost 1 second to open the website www.sina.com.cn,it cost almost 1 minutes to open when iptables rules configed,why and how to fix it?

R00KIE

Forum Fellow

From: Between a computer and a chair

Registered: 2008-09-14

Posts: 4,734

Re: Why the iptables rules slow down net transposrt speed?

My only guess is that sina's website is probably trying to load resources from other IPs, since it can't because you have blocked it, it will wait until it times out, hence it will take longer to load.

---

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Why the iptables rules slow down net transposrt speed?

Other issues, that I noticed:

1. Where is the usual "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" rule? Should be at or near the start of the rules, due to it normally matching a high proportion of traffic.

2. Use iptables-save to show rules, because "iptables -L" is just a management summary which hides essential details such as the *order* of the rules.

3. Should not be blocking ICMP, which can help to resolve communication problems.

Also, to have fewer duplicate lines:

# ipcalc 183.232.24.111-183.232.24.117
deaggregate 183.232.24.111 - 183.232.24.117
183.232.24.111/32
183.232.24.112/30
183.232.24.116/31

Last edited by brebs (2017-02-09 20:18:08)

R00KIE

Forum Fellow

From: Between a computer and a chair

Registered: 2008-09-14

Posts: 4,734

Re: Why the iptables rules slow down net transposrt speed?

@brebs
Not wanting to get off topic here but I'm curious, have you ever seen a case where the output of 'iptables -L' is different from the order in iptables-save? At least for me the order is always the same, which matches the order in which the commands run in my iptables configuration script. I do have to say that the output of iptables-save is more complete as it includes all tables and not just the filter table.

---

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

brebs

Member

Registered: 2007-04-03

Posts: 3,742

Re: Why the iptables rules slow down net transposrt speed?

It's more a case of:

Why on Earth does every newbie think that "iptables -L" is a complete description?

"iptables-save" is the command that saves the iptables configuration. So I ask for that. Have I done a comprehensive test of the differences? No - why would I?