homepage Welcome to WebmasterWorld Guest from 54.145.191.14
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
default time out in iptables?
jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 987 posted 12:43 pm on Mar 8, 2004 (gmt 0)

i have just successfully (at last!) configured some basic iptables rules for our server.

i find now when i am ssh-ing to the server, after a certain time period (haven't measured, but must be about 15 minutes) i get timed out and the connection is broken.

this never happened before i added the iptables rules. here they are

#clear all rules
iptables -F

#now drop everything
iptables -P INPUT DROP
iptables -P FORWARD DROP

#allow any established connections - stop me from being locked out!
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#accept all new connections on the following ports
#ftp(21) ssh(22) smtp(25) http(80) pop3(119) https(443)
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 21,22,25,80,110,443 -j ACCEPT

#allow ping
iptables -A INPUT -p icmp -i eth0 -j ACCEPT

#allow traffic on loopback interface
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

is there any reason why these rules should time me out, or is this an iptables default. (NB previously all chains were set to ACCEPT)?

thanks for help!

 

seindal

10+ Year Member



 
Msg#: 987 posted 4:50 pm on Mar 8, 2004 (gmt 0)

I'm no expert on iptables, but shouldn't this line:

iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 21,22,25,80,110,443 -j ACCEPT

also be allowed to handle the ESTABLISHED state. You want that communication accepted too, right?

jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 987 posted 7:57 pm on Mar 8, 2004 (gmt 0)

hi seindal,

as far as i understand iptables, the previous line:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

already matches any ESTABLISHED connections, so these connections never get a chance to traverse to the next rule?

the rules as they are allow me to work, it is just that after a period of inactivity, the connection dies? odd, it doesn't happen with http only ssh?

but something is definitely wrong, as my rules make the server very slow to respond. i have just flushed the chains and restarted iptables and the speed of browsing has GREATLY increased!

this definitely needs some more investigation.

cheers

added: after searching around i found this rule which when appended solves the slow response

iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

which simulates the correct response from a host which isn't running the auth service (identd). without this rule the ident response (tcp-reset) from my server never appears, so the connecting server waits for a timeout, before continuing with the connection. at least i think that's more or less ;-)

anyway it's lightning quick again!

[edited by: jamie at 8:30 pm (utc) on Mar. 8, 2004]

seindal

10+ Year Member



 
Msg#: 987 posted 8:04 pm on Mar 8, 2004 (gmt 0)

It sounds a bit as if there's some table of connections where the connection is removed after 15 minutes. A bit like NAT tables.

Does the ssh connection time out after 15 minutes of activity or after 15 minutes of inactivity?

HTTP connections rarely lives for that long. They are usually open and closed much faster than that.

René

jamie

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 987 posted 8:33 pm on Mar 8, 2004 (gmt 0)

hi rené,

i added a bit to my last post, but you got there sooner.

i wouldn't be surprised if the problem is solved with the tcp-reset. i am now trying this out!

cheers

added: yes it does appear to solve it. even after 30 minutes the ssh connection is still ok :-)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved