Aug 12, 2011
tom

ipTables: How to improve the current set-up?

Question

It took a lot of time and digging to get my ipTables working fairly well.

Current status: ‘Works’ w/ a noticeable, reproducible (almost unacceptable) delay on SSH connections. This delay goes away as soon as ipTables is disabled. Please help, how can I fight off the long list of potential attacks, and also get my fast ssh back?

-A INPUT -i lo -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT
#DROP fragments (from a *different* tutorial, do I need this?)
-A INPUT -f -j DROP 
#DROP NEW NOT SYN
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP 
#DROP SYN-FIN SCANS     
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
#DROP SYN-RST SCANS      
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#DROP X-MAS SCANS       
-A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP 
#DROP NMAP FIN SCAN      
-A INPUT -p tcp --tcp-flags ALL FIN -j DROP 
#DROP NULL SCANS              
-A INPUT -p tcp --tcp-flags ALL NONE -j DROP  
#DROP ALL/ALL SCANS            
-A INPUT -p tcp --tcp-flags ALL ALL -j DROP               
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#non-standard ssh port matches ssh config
-A INPUT -p tcp -m tcp --dport x1x0 -j ACCEPT  
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -j DROP 

Thank you

EDIT:
I dug deeper and my ISP’s nameservers and DNS look-up might be the problem:

Why would the SSH server be doing a DNS look-up, when I’m connecting as root@xxx.xx.xxx.x?

and / or

Can I fix this (if DNS look-up is the cause) w/ an adjustment to the ssh config, instead of messing with having to find out the ip of the ISP’s nameservers?

Answer

If the hang is caused when you login then it is probably related to the sshd UseDNS configuration parameter. The default for this is yes so sshd does a lookup on your client’s hostname and then checks that it maps back to the IP address that is is seeing on the inbound connection.

You’ll probably find that you don’t have a suitable DNS PTR record for your client.

Try setting

UseDNS no

in your /etc/ssh/sshd_config file then restart sshd.

Related posts:

  1. How to test if SYN and FIN are both dropped at the same time in hping3?
  2. CentOS 5.6 Firewall Script [bad/good practice]
  3. Understanding/optimizing iptables output
  4. Problem with sendmail combined with iptables
  5. Multiple web-services all running on port 80 with IPTABLES

Leave a comment