iptables freezes for 2s when hitting a numeric IP

coontie · 06-17-2008, 01:09 PM

Hi.

Have me a little problem.

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED /* allow inbound established only */
ACCEPT     all  --  anywhere             localhost           /* loopback */
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:54321:54400 state NEW /* BT */
ACCEPT     udp  --  anywhere             anywhere            udp dpts:54321:54400 state NEW /* BT */
ACCEPT     tcp  --  172.16.1.0/24        anywhere            state NEW tcp dpt:www /* WWW */
LOG        tcp  --  anywhere             anywhere            tcp dpt:2222 state NEW LOG level warning prefix `SSH accepted: '
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:2222 state NEW /* SSH */
ACCEPT     udp  --  172.16.1.0/24        anywhere            udp dpt:netbios-ns /* samba */
ACCEPT     udp  --  172.16.1.0/24        anywhere            udp dpt:netbios-dgm /* samba */
ACCEPT     tcp  --  172.16.1.0/24        anywhere            state NEW tcp dpt:netbios-ssn /* samba */
ACCEPT     tcp  --  172.16.1.0/24        anywhere            state NEW tcp dpt:microsoft-ds /* samba */

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED /* allow all outgoing connections */

when you do iptables -L, it starts listing the rules. Every time it hits a rule in bold, it pauses for 2-3s and then continues. Very annoying.

Any idea why that's happening or how to troubleshoot this?

acid_kewpie · 06-17-2008, 01:10 PM

reverse DNS lookups. add the -n option to stop this.

coontie · 06-17-2008, 01:17 PM

Quote:

Originally Posted by acid_kewpie

reverse DNS lookups. add the -n option to stop this.

You da man!

Thank you.

In fact, I thought that initially and went and added aliases in /etc/networks to 172.16.1.0/24. It resolved that subnet to "localnet" but still was slow.

nsswitch only shows

networks files

...? Weird.

Like, it'll show this:

Code:

ACCEPT     udp  --  anywhere             anywhere            udp dpts:54321:54400 state NEW /* BT */
ACCEPT     tcp  --  localnet/24          anywhere            state NEW tcp dpt:www /* WWW */

but still freeze on "localnet."