Hi, For TCP connections, try to do with "-j REJECT --reject-with tcp-reset". Its faster then port unreachable! 2012/3/27 Nils Rennebarth <nils.rennebarth@xxxxxxxxxxxxxxx>: > Hi, > > A simple firwall rule > iptables -I OUTPUT --protocol tcp --dport 80 -j REJECT > prevents local processes from making TCP connections to port 80, > and those who try will get a -ECONNREFUSED. Good. > > But why do they get the error only after a few seconds? A tcpdump > shows that ICMP Packets are generated on the loopback interface: > > When doing > wget http://host:80/ > exactly two ICMP packets show up on lo: > 15:45:11.850785 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68 > 15:45:14.849298 IP 10.10.10.144 > 10.10.10.144: ICMP 10.10.10.31 tcp port 80 unreachable, length 68 > But only the second one has an effect: > > Connecting to host|10.10.10.31|:80... failed: Connection refused > > My question is: > 1) why? > 2) is there another way to make connections to a certain set of hosts fail fast > and without delay, without changing the applications itself. > > -- > > Mit freundlichen Grüßen / with kind regards > > Nils Rennebarth, Software Developer > > -- > Funkwerk IP-Appliances GmbH > Mönchhaldenstraße 28 > D-70191 Stuttgart > > Tel: +49 711 900300 - 0 > Fax: +49 711 900300 - 90 > > E-Mail: Nils.Rennebarth@xxxxxxxxxxxxxxx > > Location: GmbH Nuernberg, Local Court Nuernberg, HRB 25481 > Managing Directors: Torsten Urban > -------------------------------- > The information contained in this e-mail has been carefully researched, > but the possibility of it being inapplicable in individual cases cannot > be ruled out. We therefore regret that we cannot accept responsibility > or liability of any kind whatsoever for the correctness of the > information given. Please notify us if you discover that information is > inapplicable. > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
