Iptables REJECT taking 3 seconds

Tyler Aviss tjaviss-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Mon Apr 8 18:05:15 UTC 2013


Gah, pasted the wrong rule line.
The iptables rule was actually

/sbin/iptables -A OUTPUT -p tcp --dport 80 -j REJECT
On Apr 8, 2013 9:19 AM, "Tyler Aviss" <tjaviss-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:

> I've noticed that even when a rule exists to REJECT outgoing connections,
> it still takes about 3 seconds to process.
> While DROP rules should depend on the timeout of the connecting app,
> shouldn't anything that is REJECT'ed be immediately blocked and end the
> connection attempt?
>
> # iptables -A OUTPUT  -m state --state INVALID -j REJECT
> # date; telnet 10.1.1.1 80; date
> Mon Apr  8 09:08:40 PDT 2013
> Trying 10.1.1.1...
> telnet: connect to address 10.1.1.1: Connection refused
> Mon Apr  8 09:08:43 PDT 2013
>
> It always seems to be a solid 3 seconds. I don't remember this being the
> normal behaviour previously. Perhaps it's something that is configured
> somewhere?
>
>
> RHEL-5.9
>
>
>
>
>
> --
> Tyler Aviss
> Systems Support
> LPIC/LPIC-2/DCTS/CLA
>
> "Computers don't make mistakes. They can, however, execute those provided
> to them very quickly"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20130408/b4b2ded1/attachment.html>


More information about the Legacy mailing list