IPTABLES is slow after adding '-A INPUT -j DROP' to rule list

With

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP

your machine will drop each incoming packet unless it comes from the SSH port. It's a good idea if you want that machine to comunicate only via SSH. Otherwise you need to add

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

that will make you sure you're going to connect to some web server rather than getting connected from somebody.

It's performing a DNS lookup and since the response is blocked, it takes a while to time out.

Try doing iptables -n ... to prevent DNS lookup.

The conntrack allows connections to be received on the ephemeral port that was created for responses to requests that was initiated by your machine (in this case the DNS request). Without allowing ESTABLISHED or RELATED connections, even responses to your requests are blocked.

EG: If you attempt to go to a website, even though you would be able to send the request for the website, the website's response would be blocked.

IPTABLES is slow after adding '-A INPUT -j DROP' to rule list

Tags:

Iptables

Related

Recent Posts