May 6, 2012

IPTables Rules Slow Connections to Bridge Interface


I have a KVM host which bridges its eth0 as br0. I have one guest which uses the bridge adapter (rather than NAT) with its own public IP.

If I setup basic firewall rules on the host, it suddenly begins taking a long time to connect to ssh (or other services, such as http) the guest on its IP – whether locally (from the host) or from another host entirely. Long time I mean maybe 20 seconds instead of 1 second. Also its outbound connections take a long time to open as well (connecting from guest to another host).

I simply have all forwarding enabled for simplicity; without that statement no traffic is getting to or from the guest. If I flush all these rules, then connectivity returns to normal.

1. What gives?
2. How to troubleshoot further – is there a way to log all rejections?

These are my rule statements:

*filter#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d -j REJECT#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT# Forward all traffic through the bridge interface 
-A FORWARD -j ACCEPT#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
#allow check_nrpe & check_mk
-A INPUT -p tcp --dport 5666 -j ACCEPT
-A INPUT -p tcp --dport 6556 -j ACCEPT
-A INPUT -p tcp --dport 2220 -j ACCEPT#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7#  Reject all other inbound - default deny unless explicitly allowed policy
Asked by Jeremy


Did you setup the services to try to reverse DNS incoming connections (as is the default often with ssh), then proceed to block DNS queries via your firewall rules?

Answered by rackandboneman

No related posts.

Leave a comment