set up iptables properly

Printable View

March 29, 2026
sspirit

set up iptables properly

Hi there!,

I have question about configuring firewall on debian 13 using iptables to ensure game have no high latency. Whatever I tried still have high latency. Game runs fine when firewall turned off and ping is fine, about 30ms. With FW on - 500 - 1500ms.

Not sendin whole fw settings, but core is displayed:

Chain INPUT (policy ACCEPT 22401 packets, 11M bytes)
num pkts bytes target prot opt in out source destination
1 3553 917K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:8093
2 365 89292 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 414 39569 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 975 packets, 249K bytes)
pkts bytes target prot opt in out source destination
135K 20M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED

tried allow tcp connections 145.239.161.30.8093 but no success. Something is missing in input chain, cuz when allow INPUT for all traffic, no high ping.
March 29, 2026
Shred

You should add rules to the INPUT chain one by one until you start lagging. You have probably added a rule that is creating high load.
March 29, 2026
Shred

Also now that I look more into it, a default accept policy for INPUT and a default drop for OUTPUT is kinda the opposite of what it should be.

It should be default drop for INPUT (plus "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" for existing outgoing connections) and default accept for OUTPUT (unless you want to block your computer from connecting to something specific)
March 30, 2026
sspirit

already have this minimal configuration and ping vary from 30 - 800ms

iptables -L -nv --line-numbers
Chain INPUT (policy DROP 145 packets, 12354 bytes)
num pkts bytes target prot opt in out source destination
1 7923 1557K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1236K packets, 96M bytes)
num pkts bytes target prot opt in out source destination
March 30, 2026
sspirit

tried insert loopback interface into INPUT chain and for now, its running smooth with FW on at 30ms.
March 30, 2026
Shred

Oh yes, you can't block the loopback interface in the firewall, since lots of programs in your computer use it to communicate to other programs or even themselves, and you will have weird freezes all the time.