Forum Moderators: bakedjake
i find now when i am ssh-ing to the server, after a certain time period (haven't measured, but must be about 15 minutes) i get timed out and the connection is broken.
this never happened before i added the iptables rules. here they are
#clear all rules
iptables -F
#now drop everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
#allow any established connections - stop me from being locked out!
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#accept all new connections on the following ports
#ftp(21) ssh(22) smtp(25) http(80) pop3(119) https(443)
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 21,22,25,80,110,443 -j ACCEPT
#allow ping
iptables -A INPUT -p icmp -i eth0 -j ACCEPT
#allow traffic on loopback interface
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
is there any reason why these rules should time me out, or is this an iptables default. (NB previously all chains were set to ACCEPT)?
thanks for help!
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 21,22,25,80,110,443 -j ACCEPT
also be allowed to handle the ESTABLISHED state. You want that communication accepted too, right?
as far as i understand iptables, the previous line:
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
already matches any ESTABLISHED connections, so these connections never get a chance to traverse to the next rule?
the rules as they are allow me to work, it is just that after a period of inactivity, the connection dies? odd, it doesn't happen with http only ssh?
but something is definitely wrong, as my rules make the server very slow to respond. i have just flushed the chains and restarted iptables and the speed of browsing has GREATLY increased!
this definitely needs some more investigation.
cheers
added: after searching around i found this rule which when appended solves the slow response
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
which simulates the correct response from a host which isn't running the auth service (identd). without this rule the ident response (tcp-reset) from my server never appears, so the connecting server waits for a timeout, before continuing with the connection. at least i think that's more or less ;-)
anyway it's lightning quick again!
[edited by: jamie at 8:30 pm (utc) on Mar. 8, 2004]
Does the ssh connection time out after 15 minutes of activity or after 15 minutes of inactivity?
HTTP connections rarely lives for that long. They are usually open and closed much faster than that.
René
i added a bit to my last post, but you got there sooner.
i wouldn't be surprised if the problem is solved with the tcp-reset. i am now trying this out!
cheers
added: yes it does appear to solve it. even after 30 minutes the ssh connection is still ok :-)
