IPtables broken, website taking forever to load

garry asked:

I made changes to my iptables to get fail2ban working and now my website takes forever to load. Please take a look at my iptables and provide me with a soultion.

sudo iptables -S output

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-N fail2ban-HTTP
-N fail2ban-apache
-N fail2ban-apache-badbots
-N fail2ban-apache-nohome
-N fail2ban-apache-noscript
-N fail2ban-apache-overflows
-N fail2ban-php-url-fopen
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-nohome
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-php-url-fopen
-A INPUT -p tcp -m tcp --dport 80 -j fail2ban-HTTP
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-badbots
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A fail2ban-HTTP -s 94.0.157.53/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-HTTP -s 191.96.249.80/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-HTTP -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache-badbots -j RETURN
-A fail2ban-apache-nohome -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-php-url-fopen -j RETURN
-A fail2ban-ssh -s 221.194.47.208/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN

sudo iptables -L output:

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-apache-nohome tcp -- anywhere anywhere multiport dports http,https
fail2ban-php-url-fopen tcp -- anywhere anywhere multiport dports http,https
fail2ban-HTTP tcp -- anywhere anywhere tcp dpt:http
fail2ban-apache-badbots tcp -- anywhere anywhere multiport dports http,https
fail2ban-apache tcp -- anywhere anywhere multiport dports http,https
fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports http,https
fail2ban-apache-noscript tcp -- anywhere anywhere multiport dports http,https
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP icmp -- anywhere anywhere ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ICMP (1 references)
target prot opt source destination

Chain TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Chain UDP (1 references)
target prot opt source destination

Chain fail2ban-HTTP (1 references)
target prot opt source destination
REJECT all -- 5e009d35.bb.sky.com anywhere reject-with icmp-port-unreachable
REJECT all -- 191.96.249.80 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere

Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-badbots (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-nohome (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-php-url-fopen (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere

Chain fail2ban-ssh (1 references)
target prot opt source destination
REJECT all -- 221.194.47.208 anywhere reject-with icmp-port-unreachable
RETURN all -- anywhere anywhere

Thanks

My answer:


You have only opened one port, port 22. Your web site (most likely) runs on port 80. You need to open that port also.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.