[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice
Mike
1100100 at gmail.com
Fri Jul 1 13:55:03 UTC 2016
On Fri, Jul 1, 2016 at 2:16 AM, Ned Slider <ned at unixmail.co.uk> wrote:
>
> Try running:
>
> iptables -nv -L
Yes!
Much sunlight awakening crusty synapses here. :-)
>
> The first thing I would do is move your ESTABLISHED,RELATED rule to the top
> of the chain. Once you've accepted the first packet you may as well accept
> the rest of the stream as quickly and efficiently as possible as you've
> established the connection is not malicious.
Yes - this is by far the rule with the most packets and bytes.
The rule goes to the top.
>
> What is the default policy for the FORWARD table?
Probably a little paranoid, but all my filter policies are "DROP"
> For example, if you trust all traffic coming from inside your
> network that is destined for the outside and want to pass that traffic
> without testing for all those tcp flags (and any other rules), you could do
> something like:
>
> -A Forward -p all -i LAN-NIC -o INET-NIC -j ACCEPT
I'm definitely going to test a few different configurations.
Your input is really appreciated; great nudge!
Best regards,
Mike
More information about the CentOS
mailing list