iptables 减慢连接速度

2024-5-30 • tag-icon

当我为我的服务器启用 iptables (v4/v6) 时，每个连接（例如 ssh、imap、smtp、http、https 等）都会变慢，因此如果我尝试连接到 ssh，则需要长达 30 (!) 秒的时间。

imap 服务 dovecot 有同样的问题。设置了建立规则。

我没有看到什么问题？

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 407K  138M ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spts:67:68 dpts:67:68
 7259  943K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 344K   55M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1382 81884 ACCEPT     tcp  --  *      *       0.0.0.0/0            #serverip_v4#        tcp dpt:25
    8   472 ACCEPT     tcp  --  *      *       0.0.0.0/0            #serverip_v4#        tcp dpt:587
  212 12472 ACCEPT     tcp  --  *      *       0.0.0.0/0            #serverip_v4#        tcp dpt:143
  514 27852 ACCEPT     tcp  --  *      *       0.0.0.0/0            #serverip_v4#        tcp dpt:80
 3707  211K ACCEPT     tcp  --  *      *       0.0.0.0/0            #serverip_v4#        tcp dpt:443
17658 1043K ACCEPT     tcp  --  *      *       0.0.0.0/0            #serverip_v4#        tcp dpt:22
  123  4932 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0 state NEW,RELATED,ESTABLISHED
 3949  276K REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4939 packets, 629K bytes)
 pkts bytes target     prot opt in     out     source               destination


 Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 156K   20M ACCEPT     all      lo     *       ::/0                 ::/0
66440 5314K ACCEPT     all      *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    2   160 ACCEPT     tcp      *      *       ::/0                 #serverip_v6#  tcp dpt:25
    1    72 ACCEPT     tcp      *      *       ::/0                 #serverip_v6#  tcp dpt:587
22159 1773K ACCEPT     tcp      *      *       ::/0                 #serverip_v6#  tcp dpt:143
   14  1056 ACCEPT     tcp      *      *       ::/0                 #serverip_v6#  tcp dpt:80
  144 11108 ACCEPT     tcp      *      *       ::/0                 #serverip_v6#  tcp dpt:443
    3   212 ACCEPT     tcp      *      *       ::/0                 #serverip_v6#  tcp dpt:22
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 128 state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 129 state NEW,RELATED,ESTABLISHED
  435 31296 REJECT     all      *      *       ::/0                 ::/0                 reject-with icmp6-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1349 packets, 137K bytes)
 pkts bytes target     prot opt in     out     source               destination

使用 DROP 或 REJECT 不会影响这一点。如果我刷新规则，一切都会顺利进行。

答案1

正如 @MadHatter 评论的那样，允许 DNS 建立连接非常重要：

iptables -I INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
ip6tables -I INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

答案1

相关内容