IPtables broken, website taking forever to load

garry asked:

I made changes to my iptables to get fail2ban working and now my website takes forever to load. Please take a look at my iptables and provide me with a soultion.

$ sudo iptables -S output

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N ICMP
-N TCP
-N UDP
-N fail2ban-HTTP
-N fail2ban-apache
-N fail2ban-apache-badbots
-N fail2ban-apache-nohome
-N fail2ban-apache-noscript
-N fail2ban-apache-overflows
-N fail2ban-php-url-fopen
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-nohome
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-php-url-fopen
-A INPUT -p tcp -m tcp --dport 80 -j fail2ban-HTTP
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-badbots
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A fail2ban-HTTP -s 94.0.157.53/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-HTTP -s 191.96.249.80/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-HTTP -j RETURN
-A fail2ban-apache -j RETURN
-A fail2ban-apache-badbots -j RETURN
-A fail2ban-apache-nohome -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-php-url-fopen -j RETURN
-A fail2ban-ssh -s 221.194.47.208/32 -j REJECT --reject-with icmp-port-unreachable
-A fail2ban-ssh -j RETURN

sudo iptables -L output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-apache-nohome  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-php-url-fopen  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-HTTP  tcp  --  anywhere             anywhere             tcp dpt:http
fail2ban-apache-badbots  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache-overflows  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-apache-noscript  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ICMP       icmp --  anywhere             anywhere             ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ICMP (1 references)
target     prot opt source               destination

Chain TCP (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain UDP (1 references)
target     prot opt source               destination

Chain fail2ban-HTTP (1 references)
target     prot opt source               destination
REJECT     all  --  5e009d35.bb.sky.com  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  191.96.249.80        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-badbots (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-nohome (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-noscript (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-overflows (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-php-url-fopen (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
REJECT     all  --  221.194.47.208       anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

My answer:


You have only opened one port, port 22.

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

Your web site (most likely) runs on port 80. You need to open that port also.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.