iptables -P FORWARD DROP makes port forwarding slow

Posted by Isaac on Server Fault See other posts from Server Fault or by Isaac
Published on 2012-09-13T09:31:14Z Indexed on 2012/09/13 9:39 UTC
Read the original article Hit count: 551

Filed under:

I have three computers, linked like this:

box1 (ubuntu)   box2 router & gateway (debian)       box3 (opensuse)
[] ---- [,,] ---- []
                           box4, www

Among other things I want box2 to do nat and port forwarding, so that I can do

ssh -p 2223 box2

to reach box3. For this I have the following iptables script:


    # flush
    iptables -F INPUT
    iptables -F FORWARD
    iptables -F OUTPUT

    iptables -t nat  -F PREROUTING
    iptables -t nat  -F POSTROUTING
    iptables -t nat  -F OUTPUT

    # default
    for chain in INPUT OUTPUT;do
    iptables -P $chain $default_action
    iptables -P FORWARD DROP

    # allow ssh to local computer
    for ip in $allowed_ssh_clients;do
    iptables -A OUTPUT -p tcp --sport 22 -d $ip -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -s $ip -j ACCEPT

    # allow DNS
    iptables -A OUTPUT -p udp --dport 53 -m state \
    iptables -A INPUT -p udp --sport 53 -m state \

    # allow HTTP & HTTPS
    iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
    iptables -A INPUT -p tcp  -m multiport --sports 80,443 -j ACCEPT


    # allow routing
    echo 1 >/proc/sys/net/ipv4/ip_forward
    # nat
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    # http
    iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
    iptables -A FORWARD -p tcp --sport 80 -j ACCEPT

    # ssh redirect
    iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2223 -j DNAT \
    iptables -A FORWARD -p tcp --sport 22 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

    iptables -A FORWARD -p tcp --sport 1024:65535 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 1024:65535  -j ACCEPT

    iptables -I FORWARD -j LOG --log-prefix "iptables denied: "

While this works, it takes about 10 seconds to get a password promt from my ssh command. Afterwards, the connection is as responsive as could be. If I change the default policy for my FORWARD chain to "ACCEPT", then the password promt is there imediatly.

I have tried analysing the logs, but I can not spot a difference in the logs for ACCEPT/DROP in my FORWARD chain. Also I have tried allowing all the unprivileged ports, as box1 uses thoses for doing ssh to box2.

Any hints?

(If the whole setup seems strange to you - the point of the exercise is to understand iptables ;))

© Server Fault or respective owner

Related posts about iptables