On Fri, Jul 1, 2016 at 2:16 AM, Ned Slider ned@unixmail.co.uk wrote:
Try running:
iptables -nv -L
Yes! Much sunlight awakening crusty synapses here. :-)
The first thing I would do is move your ESTABLISHED,RELATED rule to the top of the chain. Once you've accepted the first packet you may as well accept the rest of the stream as quickly and efficiently as possible as you've established the connection is not malicious.
Yes - this is by far the rule with the most packets and bytes. The rule goes to the top.
What is the default policy for the FORWARD table?
Probably a little paranoid, but all my filter policies are "DROP"
For example, if you trust all traffic coming from inside your network that is destined for the outside and want to pass that traffic without testing for all those tcp flags (and any other rules), you could do something like:
-A Forward -p all -i LAN-NIC -o INET-NIC -j ACCEPT
I'm definitely going to test a few different configurations. Your input is really appreciated; great nudge!
Best regards,
Mike