# iptables slow IE fast firefox????

## dashnu

I am new to iptables and a friend gave me this script to use for a production server running a java web-app using resin-ee apache and https. This script may be overkill for what i need but again I am new to iptables and just learning. 

I have an issue when looking at the site via IE.. I loads really really slow. It must be one on the rules in this script causing it can anyone help me figure out what i need to take out?

The site loads fine on my gentoo / firefox laptop. So it has to be something with IE. I would love to figure this out or our next release I need to use this shitty NAT/Fwall router thing.

```
#!/bin/sh

# This is the location of the iptables command

IPTABLES="/sbin/iptables"

case "$1" in

   stop)

      echo "Shutting down firewall..."

      $IPTABLES -F

      $IPTABLES -F -t mangle

      $IPTABLES -X

      $IPTABLES -X -t mangle

      $IPTABLES -P INPUT ACCEPT

      $IPTABLES -P OUTPUT ACCEPT

      $IPTABLES -P FORWARD ACCEPT

      echo "...done"

      ;;

   status)

      echo $"Table: filter"

      iptables --list

      echo $"Table: mangle"

      iptables -t mangle --list

      ;;

   restart|reload)

      $0 stop

      $0 start

      ;;

   start)

    echo "Starting Firewall..."

    echo ""

##--------------------------Begin Firewall---------------------------------##

#----Default-Interfaces-----#

## Default external interface (used, if EXTIF isn't specified on command line)

DEFAULT_EXTIF="eth0"

#----Special Variables-----#

# IP Mask for all IP addresses

UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.

UNPRIVPORTS="1024:65535"

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection

TCPSYNLIMIT="5/s"

# Burst Limit for TCP-SYN-Flood detection

TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains

LOGLIMIT="2/s"

# Burst Limit for Logging in Logging-Chains

LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection

PINGLIMIT="5/s"

# Burst Limit for Ping-Flood-Detection

PINGLIMITBURST="10"

#----Automatically determine infos about involved interfaces-----#

### External Interface:

## Get external interface from command-line

## If no interface is specified then set $DEFAULT_EXTIF as EXTIF

if [ "x$2" != "x" ]; then

   EXTIF=$2

else

   EXTIF=$DEFAULT_EXTIF

fi

echo External Interface: $EXTIF

## Determine external IP

EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"

  if [ "$EXTIP" = '' ]; then

     echo "Aborting: Unable to determine the IP-address of $EXTIF !"

     exit 1

  fi

echo External IP: $EXTIP

## Determine external gateway

EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`

echo Default GW: $EXTGW

echo " --- "

echo ""

#----Load IPTABLES-modules-----#

#Insert modules- should be done automatically if needed

#If the IRC-modules are available, uncomment them below

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load

/sbin/modprobe ip_tables

/sbin/modprobe iptable_filter

/sbin/modprobe ip_conntrack

dmesg -n 6

echo " --- "

#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch

$IPTABLES -F

$IPTABLES -F -t mangle

$IPTABLES -X

$IPTABLES -X -t mangle

#Set default policies to DROP

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

#----Set network sysctl options-----#

echo "Setting sysctl options"

#Disabling IP Spoofing attacks.

echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps

echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection

echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range

echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time

echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

echo 0 > /proc/sys/net/ipv4/tcp_sack

echo " --- "

echo "Creating user-chains"

#----Create logging chains-----#

##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding

##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com)

#Invalid packets (not ESTABLISHED,RELATED or NEW)

        $IPTABLES -N LINVALID

        $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "

        $IPTABLES -A LINVALID -j DROP

#TCP-Packets with one ore more bad flags

        $IPTABLES -N LBADFLAG

        $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "

        $IPTABLES -A LBADFLAG -j DROP

#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)

        $IPTABLES -N LSPECIALPORT

        $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "

        $IPTABLES -A LSPECIALPORT -j DROP

#Logging of possible TCP-SYN-Floods

        $IPTABLES -N LSYNFLOOD

        $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "

        $IPTABLES -A LSYNFLOOD -j DROP

#Logging of possible Ping-Floods

        $IPTABLES -N LPINGFLOOD

        $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "

        $IPTABLES -A LPINGFLOOD -j DROP

#All other dropped packets

        $IPTABLES -N LDROP

        $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "

        $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "

        $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "

        $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "

        $IPTABLES -A LDROP -j DROP

#All other rejected packets

        $IPTABLES -N LREJECT

        $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "

        $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "

        $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "

        $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "

        $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset

        $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable

        $IPTABLES -A LREJECT -j REJECT

#----Create Accept-Chains-----#

#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

        $IPTABLES -N TCPACCEPT

        $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT

        $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD

        $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

        $IPTABLES -N CHECKBADFLAG

        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG

        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG

        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG

        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG        $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG

#FILTERING FOR SPECIAL PORTS

        #Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

                #SMB-Traffic

                $IPTABLES -N SMB

                $IPTABLES -A SMB -p tcp --dport 137 -j DROP

                $IPTABLES -A SMB -p tcp --dport 138 -j DROP

                $IPTABLES -A SMB -p tcp --dport 139 -j DROP

                $IPTABLES -A SMB -p tcp --dport 445 -j DROP

                $IPTABLES -A SMB -p udp --dport 137 -j DROP

                $IPTABLES -A SMB -p udp --dport 138 -j DROP

                $IPTABLES -A SMB -p udp --dport 139 -j DROP

                $IPTABLES -A SMB -p udp --dport 445 -j DROP

                $IPTABLES -A SMB -p tcp --sport 137 -j DROP

                $IPTABLES -A SMB -p tcp --sport 138 -j DROP

                $IPTABLES -A SMB -p tcp --sport 139 -j DROP

                $IPTABLES -A SMB -p tcp --sport 445 -j DROP

                $IPTABLES -A SMB -p udp --sport 137 -j DROP

                $IPTABLES -A SMB -p udp --sport 138 -j DROP

                $IPTABLES -A SMB -p udp --sport 139 -j DROP

                $IPTABLES -A SMB -p udp --sport 445 -j DROP

        #Inbound Special Ports

                $IPTABLES -N SPECIALPORTS

                #Deepthroat Scan

                $IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j LSPECIALPORT

                #Subseven Scan

                $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT

                $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT

                $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT

                $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT

                $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT

                #Netbus Scan

                $IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT

                $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT

                #Back Orifice scan

                $IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT

                #Hack'a'Tack 2000

                $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT

#ICMP/TRACEROUTE FILTERING

        #Inbound ICMP/Traceroute

                $IPTABLES -N ICMPINBOUND

                #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped

                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT

                #

                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)

                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

                #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)

                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP

                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                #Block ICMP-address-mask (can help to prevent OS-fingerprinting)                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP

                $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP

                #Allow all other ICMP in

                $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT

        #Outbound ICMP/Traceroute

                $IPTABLES -N ICMPOUTBOUND

                #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)

                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP

                #Block ICMP-TTL-Expired

                #MS Traceroute (MS uses ICMP instead of UDp for tracert)

                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP

                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP

                #Block ICMP-Parameter-Problem

                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP

                #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)

                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP

                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

                #Block ICMP-address-mask (can help to prevent OS-fingerprinting)                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP

                $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP

                ##Accept all other ICMP going out

                $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT

#----End User-Chains-----#

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."

#################

## INPUT-Chain ## (everything that is addressed to the server)

#################

##GENERAL Filtering

  # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)

  $IPTABLES -A INPUT -m state --state INVALID -j LINVALID

  # Check TCP-Packets for Bad Flags

  $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG

##Packets FROM SERVER ITSELF

  #Local IF

  $IPTABLES -A INPUT -i lo -j ACCEPT

  #

  #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)

  $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT

##Packets FROM THE NET

 ##ICMP & Traceroute filtering

  #Filter ICMP

  $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND

  #Block UDP-Traceroute

  $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP

 ##Silent Drops/Rejects (Things we don't want in our logs)

  #Drop all SMB-Traffic

  $IPTABLES -A INPUT -i $EXTIF -j SMB

  #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)

  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset

 ##Public services running (comment out to activate):

  # ftp-data

  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 20 -j TCPACCEPT

  # ftp

  #$IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 21 -j TCPACCEPT

  # ssh

  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT

  #telnet

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT

  # smtp

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT

  # DNS

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT

  #$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT

  # http

  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT

  # https

  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT

  # POP-3

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT

  # IMAP

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 143 -j TCPACCEPT

  # SMTPs

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 465 -j TCPACCEPT

  # POP3s

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 995 -j TCPACCEPT

  # IMAPs

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 993 -j TCPACCEPT

 ##Separate logging of special portscans/connection attempts

  $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS

 ##Allow ESTABLISHED/RELATED connections in

  $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT

  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT

  $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT

 ##Catch all rule

  $IPTABLES -A INPUT -j LDROP

##################

## Output-Chain ##

##################

##Packets TO SERVER

  #Local IF

  $IPTABLES -A OUTPUT -o lo -j ACCEPT

##Packets TO NET

 ##ICMP & Traceroute

  $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND

 ##Silent Drops/Rejects (Things we don't want in our logs)

  #SMB

  $IPTABLES -A OUTPUT -o $EXTIF -j SMB

  #Ident

  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset

 ##Public services running (comment out to activate):

  # ftp-data

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 20 -j ACCEPT

  # ftp

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 21 -j ACCEPT

  # ssh

  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

  #telnet

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT

  # smtp

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

  # DNS

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT

  #$IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT

  # http

  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

  # https

  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

  # POP-3

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

  # IMAP

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

  # SMTPs

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 465 -m state --state ESTABLISHED -j ACCEPT

  # POP3s

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

  # IMAPs

  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

 ##Accept all tcp/udp traffic on unprivileged ports going out

  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT

  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT

##Catch all rule

$IPTABLES -A OUTPUT -j LDROP

$IPTABLES -A FORWARD -j LDROP

#------End Ruleset------#

echo "...done"

echo ""

echo "--> IPTABLES firewall loaded/activated <--"

##--------------------------------End Firewall---------------------------------##

   ;;

   *)

      echo "Usage: firewall (start|stop|restart|status) EXTIF"

      exit 1

esac

exit 0

```

----------

## JC99

What do you want the script to do? Is your box a router providing internet connection sharing, or is it a desktop box just to surf the net?

----------

## dashnu

I want the script to run on our production server that hosts the web-app. Single machine no routing one nic. I want all bad traffic to be stopped port 443 80 and 22 open only.

I tested firefox on windows and the slowness is coming from IE only. 

It is something to do with IE only but I have no idea what it could be If logs or anything would help let me know what you need. I would love to figure this out.

Thx

----------

## dashnu

This is the log from Iptables when IE connects. 

Note: firefox does not log anything.

```
Apr 14 14:33:51 pong fp=INVALID:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:wf:8z:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=32916 DF PROTO=TCP SPT=1297 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0Apr 14 14:34:00 pong fp=SYNFLOOD:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:df:8f:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=33040 DF PROTO=TCP SPT=1310 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 14 14:34:00 pong fp=SYNFLOOD:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:wf:8z:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=33043 DF PROTO=TCP SPT=1311 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 14 14:34:00 pong fp=SYNFLOOD:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:wf:8z:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=33046 DF PROTO=TCP SPT=1312 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 14 14:34:00 pong fp=SYNFLOOD:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:wf:8z:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=33052 DF PROTO=TCP SPT=1313 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 14 14:34:03 pong fp=SYNFLOOD:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:wf:8z:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=33146 DF PROTO=TCP SPT=1321 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 14 14:34:03 pong fp=SYNFLOOD:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:wf:8z:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=33148 DF PROTO=TCP SPT=1322 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 14 14:34:03 pong fp=SYNFLOOD:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:wf:8z:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=33155 DF PROTO=TCP SPT=1323 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0

Apr 14 14:34:03 pong fp=SYNFLOOD:1 a=DROP IN=eth0 OUT= MAC=00:09:6a:a4:wf:8z:00:06:1b:c2:2e:bd:08:00 SRC=192.168.1.98 DST=192.168.1.246 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=33157 DF PROTO=TCP SPT=1313 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
```

----------

## jonnevers

 *init-zero wrote:*   

> I want the script to run on our production server that hosts the web-app. Single machine no routing one nic. I want all bad traffic to be stopped port 443 80 and 22 open only.
> 
> I tested firefox on windows and the slowness is coming from IE only. 
> 
> It is something to do with IE only but I have no idea what it could be If logs or anything would help let me know what you need. I would love to figure this out.
> ...

 

this may be way off base, but is IE configured to be using a proxy?

----------

## dashnu

No, The only thing I have set in IE is the handy check box next to Automatically detect settings.

 :Sad: 

*edit this is on any windows box / IE this slowness happens.

----------

## tutaepaki

Looks like IE is triggering your SYNFLOOD protect rules. It's trying to open more than 5 connections per second on the inital connect.

Presumably, this is some kind of performance tweak which allows multiple simultaneous downloads from the one site. (I thought this was by default set to a maximum of 2, as per the RFC....did you tweak this??) 

I dunno where you set this in IE, I had a quick look, but couldn't find anything. The alternative is to increase the 

```
# Overall Limit for TCP-SYN-Flood detection

TCPSYNLIMIT="5/s" 
```

value from 5/s to maybe 10/s ??

----------

## dashnu

so I set it to 10, I see the same output in the logs. Same slowness..  I have had two kernel panics using this f-wall also. I am going to get the newest kernel recompile. Double check all the mods i need are in. 

Any other ideas on the IE slowness?

 *Quote:*   

> Presumably, this is some kind of performance tweak which allows multiple simultaneous downloads from the one site. (I thought this was by default set to a maximum of 2, as per the RFC....did you tweak this??) 

 

I tweaked nothing. but anyways do you mean server side or windows/IE side?

Thanks for help

----------

## tutaepaki

It's a client side setting, something to do with http 1.1 simultaneous connections. To confirm, you could try to disable http 1.1 completely in the IE browser. 

Maybe setting the synflood limit to 10 is not high enough either. Try something ridiculous like 1000, just to determine if that really is the problem.

----------

## Johnyp

1) stop IP tables, flush the rules and see if IE speeds up.

If it does - the problem is in the script (can't personally help you there), if it's still slow - go to 2.

2) In IE UNCHECK detect settings. Go to tools->internet options->advanced and click restore defaults button.

Try visiting the site

3) if it's still slow - check if other sites load slowly. if yes - run spyware/adware check. if not - look in apache logs for clues  :Smile: 

By the way - why firewall on a production server? For production servers use a dedicated firewall (hardware or software), but in front of the server.

----------

## dashnu

 *tutaepaki wrote:*   

> It's a client side setting, something to do with http 1.1 simultaneous connections. To confirm, you could try to disable http 1.1 completely in the IE browser. 
> 
> Maybe setting the synflood limit to 10 is not high enough either. Try something ridiculous like 1000, just to determine if that really is the problem.

 

```
# Overall Limit for TCP-SYN-Flood detection

TCPSYNLIMIT="1000/s"

# Burst Limit for TCP-SYN-Flood detection

TCPSYNLIMITBURST="1000"

```

That solved it. Now I guess I need to figure out a 'safe' value that works.

 *Johnyp wrote:*   

> By the way - why firewall on a production server? For production servers use a dedicated firewall (hardware or software), but in front of the server.

 

Unfortunately We are a small company and cant afford to have that as an option. We currently run a netgear NAT/Firewall hardware box in front of the server now but It is not reliable. Many times I hit the web-admin page and the thing just dies. I have upgrade firmware and such also. My goal is to run a fully opensource shop / low costing shop that is what makes me a valuable employee to the company. 

I understand that running the f-wall on the production machine is not the ideal option, but some examples of why this is not a good idea would be great (besides the current fixed issue heh).  Would you recommend I try and stick out the netgear fwall , I very rarely need to access the web-admin.

Thanks for all the help everyone.

----------

## nobspangle

 *init-zero wrote:*   

> Unfortunately We are a small company and cant afford to have that as an option. We currently run a netgear NAT/Firewall hardware box in front of the server now but It is not reliable. Many times I hit the web-admin page and the thing just dies. I have upgrade firmware and such also. My goal is to run a fully opensource shop / low costing shop that is what makes me a valuable employee to the company.

 

Just find an old PC and use that as your router, you can use anything so long as it has 64MB RAM.

If your server is behind a NAT box you don't need a firewall on the box itself.

----------

## rogerjoseph

http://www.winguides.com/registry/display.php/536/

Or do a google search for "IE max connections per server"

Basically to lower IE Max connections per server use, use a reg hack to lower the connections to 4 which is always passive. 6 and up might be too high for some proxy's Firewall's

Make sure to have IE configured or proxy. M$ is not as good as decting the connection method it can hose things from the start .

My 50 cents

 :Very Happy: 

----------

## dashnu

A friend of mine pointed me to this..

http://grotto11.com/blog/slash.html?%201039831658

It is really old but it seems to be the most logical solution. interesting read anyways. 

Going to work on my own script to learn the in's and out's.

----------

