iptables firewall making smtp/pop3 slow in response

Hi all,

I am having a little troubble with my firewall.
I have a masq'd lan behind the server and the server has iptables
setup to drop everything on input and output tables as a policy and
then specifically opens up for ports 25, 110 and so on.
The problem is that now it takes the server 10 - 30 seconds to respond
on the smtp and pop3 ports.
If I telnet to the server on port 23 there is no problem, but 25 and
110 are very slow to respond. Once the connection is established the
speed is normal though.
What gives? any clues would be helpful.
Btw, the server is running rh 7.1.
Thanks in advance.

Tobias Skytte

Tobias Skytte <(E-Mail Removed)> wrote:
> I have a masq'd lan behind the server and the server has iptables
> setup to drop everything on input and output tables as a policy and
> then specifically opens up for ports 25, 110 and so on.
> The problem is that now it takes the server 10 - 30 seconds to respond
> on the smtp and pop3 ports.

It could be that the server queries something like
the ident service on the client machine, but with
dropped packets has to wait for a timeout. Perhaps
you could change the default to REJECT (this
requires a rule and can't be done as a policy, I
think), rather than DROP.

--
Michael

Michael Fyles wrote:
> Tobias Skytte <(E-Mail Removed)> wrote:
>
>>I have a masq'd lan behind the server and the server has iptables
>>setup to drop everything on input and output tables as a policy and
>>then specifically opens up for ports 25, 110 and so on.
>>The problem is that now it takes the server 10 - 30 seconds to respond
>>on the smtp and pop3 ports.
>
>
> It could be that the server queries something like
> the ident service on the client machine, but with
> dropped packets has to wait for a timeout. Perhaps
> you could change the default to REJECT (this
> requires a rule and can't be done as a policy, I
> think), rather than DROP.
>

Or add a rule to specifically reject the requests to ident if you don't
want to change your default rule.

Most likely the delay is due to packets being sent to port 113 (ident)
being dropped silently as mentioned below. If the server is your mail
server, you may consider disabling ident lookups as they aren't
particularly useful anyway.. You could also open up the port and run an
identd daemon as well... but it really depends on what your using the
machine for, how concerned you are about security, etc.

Nathan


KH wrote:
> Michael Fyles wrote:
>
>> Tobias Skytte <(E-Mail Removed)> wrote:
>>
>>> I have a masq'd lan behind the server and the server has iptables
>>> setup to drop everything on input and output tables as a policy and
>>> then specifically opens up for ports 25, 110 and so on.
>>> The problem is that now it takes the server 10 - 30 seconds to respond
>>> on the smtp and pop3 ports.
>>
>>
>>
>> It could be that the server queries something like
>> the ident service on the client machine, but with
>> dropped packets has to wait for a timeout. Perhaps
>> you could change the default to REJECT (this
>> requires a rule and can't be done as a policy, I
>> think), rather than DROP.
>>
>
> Or add a rule to specifically reject the requests to ident if you don't
> want to change your default rule.
>

Hey thanks guys.
I added the REJECT for ident and now it works great.

Best regards,
Tobias Skytte