From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sven-Haegar Koch Subject: Re: extreme rDNS lag with iptables Date: Wed, 5 Nov 2003 01:41:15 +0100 (CET) Sender: netfilter-admin@lists.netfilter.org Message-ID: References: Mime-Version: 1.0 Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: TEXT/PLAIN; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Ben Cc: netfilter@lists.netfilter.org On Tue, 4 Nov 2003, Ben wrote: > The problem I am having that when I turn on iptables, I see rDNS lag to > about 30 seconds. I see this happen with two programs I am using, proftpd > and uwimap. Both work fine with flush tables, but when I run the following [rules removed] > I see login request spike from almost instant to upwards of 30 seconds. > This of course causes timeouts with most client software. > > Has anyone run into this before? Does anyone know how I might go about > fixing it? How about allowing answers for outgoing connections from your box back in? As your rules are now everything connecting FROM your box is dropped from your default policy. Your box does at least outbound dns queries from a random source port, and most likely ident too (your ftp-daemon or more). a simple iptables -A INPUT -m state --state ESTABLISHED,RELATED should help a lot. And adding a iptables -A INPUT -j LOG as the very last rule helps while debugging, this way you can see what your default policy drops. c'ya sven -- The Internet treats censorship as a routing problem, and routes around it. (John Gilmore on http://www.cygnus.com/~gnu/)