Trouble with last DROP rule in iptables

1

Let's say I want four ports to be opened for any incoming packets so I made this ruleset:

#> iptables -L -v
Chain INPUT (policy ACCEPT 20 packets, 1190 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1041  103K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:111
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:222
  208 12056 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:333
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:443

(forward and output chains are empty)

Let's now say that there is an SSH server running at port 111 and to connect to this machine I do

 ssh username@hostna.me -p 111

then I login and everything works.

But other ports are also left open because default policy is ACCEPT and I haven't added DROP rule. Now I want to add it and type

#> iptables -A INPUT -j DROP

It's a 5th rule.

Now i want to connect again to my opened SSH port. I have a response like username's password: but it comes like 20 seconds later instead of almost instant without that 5th rule.

So I remove this rule like that

#> iptables -D INPUT 5

and again I can connect to my SSH without any delay.

Why is this?

What have I blocked that I shouldn't have blocked?

p.s: There is a web server running at port 443, when I try to connect from a browser, the page loads indefinitely, but server is live.

amdc

Posted 2014-11-07T20:23:47.600

Reputation: 11

Answers

0

You might want to open port 53 to whatever your DNS server is. SSH does a reverse lookup on the incoming IP address -- it will connect if it doesn't have reverse resolution, but it will introduce a delay.

unkilbeeg

Posted 2014-11-07T20:23:47.600

Reputation: 436

Asked: 2014-11-07T20:23:47.600

Viewed: 548 times

Active: 2014-11-07T21:35:28.143