Iptables + Apache = Lent
par 2dc le 21/12/2007

Bonjour,

Mon firewall iptables ralenti très fort le chargement de mes pages web (via Apache). Le problème se pose principalement au niveau des images qui sont très lentes à charger.

Est-ce du à une mauvaise configuration de mon firewall? Sinon, que puis-je utiliser comme firewall pour qu'Apache reste rapide?

Mon script iptables :

#!/bin/sh

# Variables
IFNET="eth0"
IPNET="91.121.82.37"

LOOPBACK="127.0.0.0/8"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"

# Empty all chains
iptables -F

# Delete non standard chains
iptables -X

# Close all ports
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Accept all traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Against spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi

# Deny ping (icmp 8)
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Deny broadcast responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Deny source packets routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Deny ICMP redirection
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Activate ICMP errors protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# SYN-FLOODING PROTECTION
iptables -N syn-flood
iptables -A INPUT -i $IFNET -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

# Verify that new TCP connection are SYN packets
iptables -A INPUT -i $IFNET -p tcp ! --syn -m state --state NEW -j DROP

# SPOOFING
iptables -A INPUT -i $IFNET -s $IPNET -j DROP
# Deny multicast packets (class D).
iptables -A INPUT -i $IFNET -s $CLASS_D_MULTICAST -j DROP
# Deny packets from reserved address (class E).
iptables -A INPUT -i $IFNET -s $CLASS_E_RESERVED_NET -j DROP
# Dey packets on loopback
iptables -A INPUT -i $IFNET -d $LOOPBACK -j DROP

# Allow SSH
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# Accept HTTP traffic
iptables -A INPUT -i $IFNET --protocol tcp --destination-port 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFNET --protocol tcp --source-port 80 -m state --state ESTABLISHED -j ACCEPT

# Output traffic
# Accept DNS traffic
iptables -A INPUT -i $IFNET --protocol tcp --source-port 53 -j ACCEPT
iptables -A OUTPUT -o $IFNET --protocol tcp --destination-port 53 -j ACCEPT
iptables -A INPUT -i $IFNET --protocol udp --source-port 53 -j ACCEPT
iptables -A OUTPUT -o $IFNET --protocol udp --destination-port 53 -j ACCEPT

# Accept HTTP traffic
iptables -A INPUT -i $IFNET --protocol tcp --source-port 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFNET --protocol tcp --destination-port 80 -m state --state NEW,ESTABLISHED -j ACCEPT

# Ping
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT

# End


Merci d'avance!

---