> -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Alessio Calvio > Sent: Thursday, December 15, 2005 8:16 AM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Iptables Problem at webserver > > Hi, i am italian,sorry for my english. > > I have a webserver: > apache 1.3.34 > bind 8 > iptables 1.2.11 > > I have write this config for iptables: > > # Generated by iptables-save v1.2.11 on Wed Dec 14 12:28:37 > 2005 *filter :INPUT DROP [585:90937] :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [12009:6670555] -A INPUT -s 213.92.118.7 -j > ACCEPT -A INPUT -i ! eth0 -j ACCEPT -A INPUT -p udp -m udp > --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j > ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A > INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p > icmp -m icmp --icmp-type 4 -j ACCEPT -A INPUT -p icmp -m > icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp > --icmp-type 12 -j ACCEPT -A INPUT -p icmp -m icmp > --icmp-type 8 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j > ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT > -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp > --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j > ACCEPT -A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT COMMIT > # Completed on Wed Dec 14 12:28:37 2005 > > > > But, if iptables is on and i request www.myserver.it, i > have a latency at 4-5 second for view page. > > If iptables is off i can view page in 0.30 second. > > Please help my!! I don't see a RELATED,ESTABLISHED rule in your INPUT chain. I'm not sure why but I once had a similar problem with SSH when there was no -m state --state RELATED,ESTABLISHED rule at the top of the chain. I would hit the login prompt and it would take several seconds before the password prompt appeared. After adding the rule the problem went away. Someone else may be able to explain why but try that first. Derick Anderson
