It seems like with the basic “DROP” iptables rule, an outbound attempt will still wait the duration of its timeout.
For instance, if I block an IP address outbound, then attempt to connect to it via telnet, it will wait until its timeout is hit.
Is it possible to specify that the connection must be immediately rejected and/or closed?
For instance, if I have:
target prot opt source destination DROP tcp -- 0.0.0.0/0 188.8.131.52 tcp dpt:443
And then if I run:
# telnet 184.108.40.206 443 Trying 220.127.116.11...
… it will just hang until it eventually times out the request. Is there any way to get linux to more abruptly fail outbound connections (in situations where you cannot modify the application)?
Yes, just use the
REJECT target instead of
You can also specify a reject reason, though the default is usually fine. The possible reasons are in the
iptables-extensions man page.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.