Iptables REJECT taking 3 seconds

[Tyler Aviss]

Same behavior occurs with "netcat" as well. Just seemed odd to me
On Apr 9, 2013 7:17 AM, "Anthony Verevkin" <anthony-P5WJPa9AKEcsA/PxXw9srA at public.gmane.org> wrote:

> > From: "Tyler Aviss" <tjaviss-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
>
> > /sbin/iptables -A OUTPUT -p tcp --dport 80 -j REJECT
>
> > # date; telnet 10.1.1.1 80; date
> > Mon Apr 8 09:08:40 PDT 2013
> > Trying 10.1.1.1...
> > telnet: connect to address 10.1.1.1 : Connection refused
> > Mon Apr 8 09:08:43 PDT 2013
> >
> >
> > It always seems to be a solid 3 seconds. I don't remember this being
> > the normal behaviour previously. Perhaps it's something that is
> > configured somewhere?
>
> I've done a little bit of testing here and this seems to be true. However
> don't
> blame iptables. If you telnet to some host that does not exist, without an
> iptables
> rule, telnet will wait even longer and end up with "Connection timed out"
> message.
> So your "Connection refused" proves that iptables rule is working.
>
> Perhaps the delay is caused by some changes in telnet implementation. It
> would help
> if you use two hosts for troubleshooting - a host and a router/firewall.
> This way
> you would be able to tcpdump the traffic between them and see what
> actually happens.
>
> BTW, do you know that if the hostname has several different A and AAAA
> records
> associated to it, telnet would actually try all of them in the proper
> sequence and
> show you all the attempts? This makes telnet a very useful tool for
> troubleshooting
> ipv6. But name resolution issues is not your case here.
>
> Regards,
> Anthony
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20130409/fafc6063/attachment.html>