Welcome to WebmasterWorld Guest from 54.227.231.144

Forum Moderators: bakedjake

Message Too Old, No Replies

default time out in iptables?

   
12:43 pm on Mar 8, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



i have just successfully (at last!) configured some basic iptables rules for our server.

i find now when i am ssh-ing to the server, after a certain time period (haven't measured, but must be about 15 minutes) i get timed out and the connection is broken.

this never happened before i added the iptables rules. here they are

#clear all rules
iptables -F

#now drop everything
iptables -P INPUT DROP
iptables -P FORWARD DROP

#allow any established connections - stop me from being locked out!
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#accept all new connections on the following ports
#ftp(21) ssh(22) smtp(25) http(80) pop3(119) https(443)
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 21,22,25,80,110,443 -j ACCEPT

#allow ping
iptables -A INPUT -p icmp -i eth0 -j ACCEPT

#allow traffic on loopback interface
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

is there any reason why these rules should time me out, or is this an iptables default. (NB previously all chains were set to ACCEPT)?

thanks for help!

4:50 pm on Mar 8, 2004 (gmt 0)

10+ Year Member



I'm no expert on iptables, but shouldn't this line:

iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 21,22,25,80,110,443 -j ACCEPT

also be allowed to handle the ESTABLISHED state. You want that communication accepted too, right?

7:57 pm on Mar 8, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



hi seindal,

as far as i understand iptables, the previous line:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

already matches any ESTABLISHED connections, so these connections never get a chance to traverse to the next rule?

the rules as they are allow me to work, it is just that after a period of inactivity, the connection dies? odd, it doesn't happen with http only ssh?

but something is definitely wrong, as my rules make the server very slow to respond. i have just flushed the chains and restarted iptables and the speed of browsing has GREATLY increased!

this definitely needs some more investigation.

cheers

added: after searching around i found this rule which when appended solves the slow response

iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

which simulates the correct response from a host which isn't running the auth service (identd). without this rule the ident response (tcp-reset) from my server never appears, so the connecting server waits for a timeout, before continuing with the connection. at least i think that's more or less ;-)

anyway it's lightning quick again!

[edited by: jamie at 8:30 pm (utc) on Mar. 8, 2004]

8:04 pm on Mar 8, 2004 (gmt 0)

10+ Year Member



It sounds a bit as if there's some table of connections where the connection is removed after 15 minutes. A bit like NAT tables.

Does the ssh connection time out after 15 minutes of activity or after 15 minutes of inactivity?

HTTP connections rarely lives for that long. They are usually open and closed much faster than that.

René

8:33 pm on Mar 8, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



hi rené,

i added a bit to my last post, but you got there sooner.

i wouldn't be surprised if the problem is solved with the tcp-reset. i am now trying this out!

cheers

added: yes it does appear to solve it. even after 30 minutes the ssh connection is still ok :-)