as far as i understand iptables, the previous line:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
already matches any ESTABLISHED connections, so these connections never get a chance to traverse to the next rule?
the rules as they are allow me to work, it is just that after a period of inactivity, the connection dies? odd, it doesn't happen with http only ssh?
but something is definitely wrong, as my rules make the server very slow to respond. i have just flushed the chains and restarted iptables and the speed of browsing has GREATLY increased!
this definitely needs some more investigation.
added: after searching around i found this rule which when appended solves the slow response
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
which simulates the correct response from a host which isn't running the auth service (identd). without this rule the ident response (tcp-reset) from my server never appears, so the connecting server waits for a timeout, before continuing with the connection. at least i think that's more or less ;-)
anyway it's lightning quick again!
[edited by: jamie at 8:30 pm (utc) on Mar. 8, 2004]