On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer gordon.messmer@gmail.com wrote:
By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're applying additional processing (CPU time) to the vast majority of your packets for no reason. The "E,R" rule should be first. It won't match the invalid packets you're trying to drop.
You're not specifying the "new" state in any of your input ACCEPT rules, which means that you're also ACCEPTing invalid packets that don't match the handful of invalid states you DROPped earlier.
1. The drop commands at the beginning of each chain is for increase performance.I understand what you're trying to do, but in the real world, this will decrease performance.
Gordon,
I appreciate your observations. I've been using iptables for a long time and still don't really know how to configure the order of rules to optimize performance while providing thorough filtering as a component of security. Can you share links and/or other sources and guides on this subject.
Thank you.