Linux, Unix, and *nix like Operating Systems Forum

iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 21,22,25,80,110,443 -j ACCEPT

as far as i understand iptables, the previous line:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

already matches any ESTABLISHED connections, so these connections never get a chance to traverse to the next rule?

the rules as they are allow me to work, it is just that after a period of inactivity, the connection dies? odd, it doesn't happen with http only ssh?

but something is definitely wrong, as my rules make the server very slow to respond. i have just flushed the chains and restarted iptables and the speed of browsing has GREATLY increased!

this definitely needs some more investigation.

cheers

added: after searching around i found this rule which when appended solves the slow response

iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

which simulates the correct response from a host which isn't running the auth service (identd). without this rule the ident response (tcp-reset) from my server never appears, so the connecting server waits for a timeout, before continuing with the connection. at least i think that's more or less ;-)

anyway it's lightning quick again!

Does the ssh connection time out after 15 minutes of activity or after 15 minutes of inactivity?

HTTP connections rarely lives for that long. They are usually open and closed much faster than that.

i added a bit to my last post, but you got there sooner.

i wouldn't be surprised if the problem is solved with the tcp-reset. i am now trying this out!

cheers