Iptables REJECT taking 3 seconds

Anthony Verevkin anthony-P5WJPa9AKEcsA/PxXw9srA at public.gmane.org
Tue Apr 9 14:16:06 UTC 2013


> From: "Tyler Aviss" <tjaviss-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>

> /sbin/iptables -A OUTPUT -p tcp --dport 80 -j REJECT

> # date; telnet 10.1.1.1 80; date
> Mon Apr 8 09:08:40 PDT 2013
> Trying 10.1.1.1...
> telnet: connect to address 10.1.1.1 : Connection refused
> Mon Apr 8 09:08:43 PDT 2013
> 
> 
> It always seems to be a solid 3 seconds. I don't remember this being
> the normal behaviour previously. Perhaps it's something that is
> configured somewhere?

I've done a little bit of testing here and this seems to be true. However don't
blame iptables. If you telnet to some host that does not exist, without an iptables
rule, telnet will wait even longer and end up with "Connection timed out" message.
So your "Connection refused" proves that iptables rule is working.

Perhaps the delay is caused by some changes in telnet implementation. It would help
if you use two hosts for troubleshooting - a host and a router/firewall. This way
you would be able to tcpdump the traffic between them and see what actually happens.

BTW, do you know that if the hostname has several different A and AAAA records
associated to it, telnet would actually try all of them in the proper sequence and
show you all the attempts? This makes telnet a very useful tool for troubleshooting
ipv6. But name resolution issues is not your case here.

Regards,
Anthony
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list