Block an outbound destination IP to prevent connections waiting timeout duration

Question

It seems like with the basic "DROP" iptables rule, an outbound attempt will still wait the duration of its timeout.

For instance, if I block an IP address outbound, then attempt to connect to it via telnet, it will wait until its timeout is hit.

Is it possible to specify that the connection must be immediately rejected and/or closed?

For instance, if I have:

target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            208.79.143.151      tcp dpt:443

And then if I run:

# telnet 208.79.143.151 443
Trying 208.79.143.151...

... it will just hang until it eventually times out the request. Is there any way to get linux to more abruptly fail outbound connections (in situations where you cannot modify the application)?

Here is a good discussion for those who want to learn more.

score 2 · Accepted Answer · answered Jun 11 '14 at 00:29

2

Yes, just use the REJECT target instead of DROP.

You can also specify a reject reason, though the default is usually fine. The possible reasons are in the iptables-extensions man page.

answered Jun 11 '14 at 00:29

Michael Hampton

244,070
43
506
972

Heh... thanks. That works perfectly. I'm sure this is a duplicate question and I just missed it. rtfm ;-/ – GoldenNewby Jun 11 '14 at 00:37

Block an outbound destination IP to prevent connections waiting timeout duration

1 Answers1