Iptables REJECT taking 3 seconds
Anthony Verevkin
anthony-P5WJPa9AKEcsA/PxXw9srA at public.gmane.org
Mon Apr 8 17:12:28 UTC 2013
> From: "Tyler Aviss" <tjaviss-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
> I've noticed that even when a rule exists to REJECT outgoing
> connections, it still takes about 3 seconds to process.
>
> # iptables -A OUTPUT -m state --state INVALID -j REJECT
> # date; telnet 10.1.1.1 80; date
> Mon Apr 8 09:08:40 PDT 2013
> Trying 10.1.1.1...
> telnet: connect to address 10.1.1.1 : Connection refused
> Mon Apr 8 09:08:43 PDT 2013
>
> It always seems to be a solid 3 seconds. I don't remember this being
> the normal behaviour previously. Perhaps it's something that is
> configured somewhere?
Tyler,
Why do you think this connection has "INVALID" state? INVALID would mean that
for example you receive TCP FIN, or ACK, or anything before doing the proper
handshake, etc. If for example you don't have some routing that would not be
INVALID.
So I believe you have been DROP'ped by the other rules or by the chain policy.
Regards,
Anthony
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list