Odi's astoundingly incomplete notes

Slow to connect to Samba? Check your packet filter!

I am currently setting up a simple new Samba server on Gentoo. A Windows XP box took forever to connect to the share however. The reason for this is interesting. Apparently the Windows SMB client first tries to access the remote server via WebDAV (HTTP). But on the Samba box there is no HTTP server. Instead an iptables rule is in place to reject connections for non-open ports:

-A INPUT -p tcp -m tcp --syn -j REJECT --reject-with icmp-port-unreachable

The long timeout is easily reproducible on a Windows console with telnet. Of course you would expect timeouts when using a DROP target, as the client is not informed that the port is not open. So I was trying to be clever and send an ICMP message to inform the client. Turns out this is wrong. Closed TCP ports should send a RST packet instead:

-A INPUT -p tcp -m tcp --syn -j REJECT --reject-with tcp-reset

The complete chain of rules (at the end of the rule set) for correctly dropping packets is:

# drop broadcast packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
# TCP ports that are not open
-A INPUT -p tcp -m tcp --syn -j REJECT --reject-with tcp-reset
# reply with reject to closed UDP ports
-A INPUT -p udp -j REJECT
# drop rest
-A INPUT -j DROP

posted on 2010-03-01 11:34 UTC in Code | 3 comments | permalink

This fixed the super long delay to connect problem I was having (I just set iptables to reject by default instead of drop and now I don't have to wait like I used to). Thanks for the info!

you can disable the iptables, if it is still slow to login, then you can check the /etc/hosts, it should be 127.0.0.1 your_hostname localhost...
and ip(such as 192.168.1.3) your_hostname

I disagree with the former comment: it is a severe mistake to map your own hostname to 127.0.0.1! Old RedHat installs did that for years and it has caused lots of trouble along the road, but recent versions have fixed that. Odi.

Add comment