I have a java program listening to packets from both UDP and TCP on a range of ports. I have a script locally on that Linux box which will block or unblock the inward network traffic on those ports. These scripts work well. But when I use this script to stop the traffic it takes almost 40 minutes to get the traffic stopped. Till then I receive the packets on
java.net.DatagramSocket.receive() and
java.net.Socket.getInputStream().read()
methods. After 40 minutes, the traffic gets stopped. I have no clue what is happening. I was expecting the incoming traffic to immediately stop. Is there any configuration that I have missed in the Linux box ?
The socket buffer size is for udp and tcp is:
[root@APP ~]# cat /proc/sys/net/ipv4/udp_mem
6164448 8219264 12328896
[root@APP ~]# cat /proc/sys/net/ipv4/udp_rmem_min
4096
[root@APP ~]# cat /proc/sys/net/ipv4/udp_wmem_min
4096
[root@APP ~]# cat /proc/sys/net/ipv4/tcp_mem
6164448 8219264 12328896
[root@APP ~]# cat /proc/sys/net/ipv4/tcp_rmem
4096 87380 4194304
[root@APP ~]# cat /proc/sys/net/ipv4/tcp_wmem
4096 16384 4194304
Here is a snippet of the iptables script. I am interested in the ports between 5000 to 5100.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [218796:15563881]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 5000:5100 -j DROP
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 4814 -j DROP
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 8000 -j DROP
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 4815 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED --sport 587 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 2814 -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED --sport 53 -j ACCEPT
-A INPUT -p udp --dport 5000:5100 -j DROP
-A INPUT -p udp --dport 4814 -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED --dport 587 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 5000:5100 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 4814 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 4815 -j ACCEPT
-A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 2814 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED --dport 53 -j ACCEPT
-A OUTPUT -p udp --sport 5000:5100 -j ACCEPT
-A OUTPUT -p udp --sport 4814 -j ACCEPT
The first rule in your firewall tells iptables to accept all established connections so you are only blocking new connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Try removing that rule and see what happens