thanks for all your interest and replies! :)
well, i found a solution for my problem this morning. actually,
my setup was kind of stupid ( i was tired):
Chain INPUT (policy DROP)
target prot opt source destination
<...> # allow local stuff
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
antip2p all -- 0.0.0.0/0 0.0.0.0/0
<...> # allow services
NOTE: table "antip2p" drops all those networks i don't like or trust.
see http://www.bluetack.co.uk/config/antip2p.txt
so almost every new incoming packet had to go through antip2p.
solution: only sent those packets to antip2p that actually hit a
service-port:
Chain INPUT (policy DROP)
target prot opt source destination
<...> # allow local stuff
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x16/0x02 state NEW
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
antip2p tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
antip2p tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
antip2p tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
<...> # allow services but walk through antip2p for each service (like above)
# iptables-show antip2p | tail -n2
87228 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 source IP range 222.158.0.0-222.159.255.255
87229 6194 307K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
this works smoother of course (as there are a lot less packets
going through antip2p).
not a perfect solution for busy hosts, but it works for me.
cheers,
jan
