iptables设置导致SSH连接速度变慢?

一、iptables设置命令(白名单、放通22端口)

[root@localhost ~]# iptables -F  INPUT
[root@localhost ~]# iptables  -I  INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[root@localhost ~]# iptables -A INPUT -j REJECT

二、iptables设置查看1

[root@localhost ~]# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  381 23308 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    6   440 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
[root@localhost ~]#

三、抓包(连接会卡10秒

 四、iptables设置state放通相关包和已经建立连接的包

[root@localhost ~]# iptables -t filter -I INPUT 2 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@localhost ~]#

五、iptables设置查看2

[root@localhost ~]# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1760 90804 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    2   152 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   14  1048 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
[root@localhost ~]#

6、抓包(正常连接成功,没有卡10s)

 

 

总结:

1、看起来:state未设置会引起SSH连接变慢,但是不确定变慢的原因(抓包没看出来)

2、经过验证:放通53端口,也会卡10s,看起来跟dns查询无关

[root@localhost ~]# iptables -vnL OUTPUT
Chain OUTPUT (policy ACCEPT 409 packets, 55386 bytes)
 pkts bytes target     prot opt in     out     source               destination
[root@localhost ~]# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
 5448  288K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
   26  1924 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
[root@localhost ~]#

3、但是设置sshd配置/etc/ssh/sshd_config

 
UseDNS=no
 
重启
[root@localhost ~]# service sshd restart          
Redirecting to /bin/systemctl restart sshd.service
 
通过总结3的设置,卡10s连接的问题也能解决,看起来又跟dns查询有关
 
4、经过验证:卡10s秒是卡账户、密码输入这个过程种(这里会卡10s)
PS C:\Users\test> ssh root@192.168.202.102
root@192.168.202.102's password:
 
5、 所以解决办法有:state放通相关包和已经建立连接的包,或者修改UseDNS,但是卡用户验证的原因暂时未知

posted on 2022-08-07 11:27  yaxin1989  阅读(354)  评论(0编辑  收藏  举报

导航