When I enable iptables (v4/v6) for my server, every connection like ssh, imap, smtp, http, https and so on are slow down so if I try to connect to ssh, it tooks up to 30 (!) seconds.
The imap service dovecot has the same issue. An establish rule is set.
What is the problem I do not see?
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
407K 138M ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
7259 943K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
344K 55M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1382 81884 ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:25
8 472 ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:587
212 12472 ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:143
514 27852 ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:80
3707 211K ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:443
17658 1043K ACCEPT tcp -- * * 0.0.0.0/0 #serverip_v4# tcp dpt:22
123 4932 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW,RELATED,ESTABLISHED
3949 276K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4939 packets, 629K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
156K 20M ACCEPT all lo * ::/0 ::/0
66440 5314K ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
2 160 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:25
1 72 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:587
22159 1773K ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:143
14 1056 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:80
144 11108 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:443
3 212 ACCEPT tcp * * ::/0 #serverip_v6# tcp dpt:22
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129 state NEW,RELATED,ESTABLISHED
435 31296 REJECT all * * ::/0 ::/0 reject-with icmp6-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1349 packets, 137K bytes)
pkts bytes target prot opt in out source destination
Using DROP or REJECT does not affect this. If I flush the rules, everythings works like a charm.
Best Answer
As @MadHatter commented, it is important to allow DNS for established connections: