iptables does something weird following suspend

iptables does something weird following suspend [found workaround]

I wrote a script to set up a simple firewall, as follows:

Code:

# Flush the tables
/usr/sbin/iptables -F
# Deny everything by default
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -P OUTPUT DROP
# Allow established and related inputs
/usr/sbin/iptables -A INPUT -m conntrack \
       	--ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow DNS (UDP) outbound
/usr/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# Allow ICMP outbound
/usr/sbin/iptables -A OUTPUT -p icmp -j ACCEPT
# Allow various TCP stuff
/usr/sbin/iptables -A OUTPUT -p tcp -m multiport \
	--dports 21,22,53,80,443,6881:6999 -j ACCEPT

I set it up to run on boot, and three weird things now happen on resuming from suspend:
1. Getting an IP address through DHCP on my home network takes about 30+ seconds
2. During those 30 seconds, Wicd's GUI is unresponsive
3. When 'iptables --list' is invoked, it shows that the last line (the one with the outbound TCP rules) twice

Running the script again cuts all that short, and restores everything to normal. What did I do wrong here?

Update: Found a workaround using acpid. Instead of invoking pm-suspend, I suspend directly with 'echo mem > /sys/power/state'. This is fine since I was already using acpid, rather than a power manager.

 

And solved. Answer is that iptables filters loopback stuff too; you have to explicitly tell it not to filter anything on lo, or you will get problems.

Edit: an updated and much cleaner version...

Code:

#!/bin/sh
iptables-restore <<END
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 21,22,53,80,443,6881:6999 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
END

Hope that doesn't have any gratuitous holes in it!