Block an outbound destination IP to prevent connections waiting timeout duration

GoldenNewby asked:

It seems like with the basic “DROP” iptables rule, an outbound attempt will still wait the duration of its timeout.

For instance, if I block an IP address outbound, then attempt to connect to it via telnet, it will wait until its timeout is hit.

Is it possible to specify that the connection must be immediately rejected and/or closed?

For instance, if I have:

target     prot opt source               destination         
DROP       tcp  --        tcp dpt:443 

And then if I run:

# telnet 443

… it will just hang until it eventually times out the request. Is there any way to get linux to more abruptly fail outbound connections (in situations where you cannot modify the application)?

Here is a good discussion for those who want to learn more.

My answer:

Yes, just use the REJECT target instead of DROP.

You can also specify a reject reason, though the default is usually fine. The possible reasons are in the iptables-extensions man page.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.