[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Fri Jul 1 06:16:05 UTC 2016
Ned Slider <ned at unixmail.co.uk>

On 30/06/16 23:19, Mike wrote:
> Ned,
> Thank you very much for the response.
> Great example following through on the premise.
> It sounds like I need to have a better understanding of the traffic
> patterns on my network to know the optimal order for iptables
> filtering rules.

Try running:

iptables -nv -L

which will show you in the left hand column a counter for the number of 
packets that has matched each rule. That will give you an exact 
breakdown of how often your rules are being hit.

> My brief example -
> Premise:  I want to limit outsiders from interfering with LAN client machines.
> So, I have the following rules regarding forwarding traffic:
> -A FORWARD -m state --state INVALID -j DROP
> -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
> -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
> -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
> -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
> -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
> -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
> -A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
> -A FORWARD -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
> -A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
> -A FORWARD -i LAN-NIC -s -o INET-NIC -m state --state
> -A FORWARD -i INET-NIC -o LAN-NIC -d -m state --state

The first thing I would do is move your ESTABLISHED,RELATED rule to the 
top of the chain. Once you've accepted the first packet you may as well 
accept the rest of the stream as quickly and efficiently as possible as 
you've established the connection is not malicious.

What is the default policy for the FORWARD table? Assuming it is accept 
then the last two accept rules can be removed.

> But I don't know if this is interfering with, or delaying DNS requests
> between LAN clients and the DHCP server.

The FORWARD chain only processes packets being router through the 
machine, so in your case that would be packets from the lan destined for 
the wan, or packets from the wan destined to the lan. All internal lan 
traffic such as dns requests from clients to the dchp server are 
internal and not subject to the FORWARD chain. Of course the dhcp server 
probably forwards those dns requests to a dns server outside of the lan 
so those requests will pass through the FORWARD chain at that point.

Assuming your hardware is not crippled or the cpu constantly overloaded, 
it's not going to have any problems routing traffic through your rule 
set. But if you want to ensure particular traffic is processed quickly 
and bypasses all other rules, place a rule matching it near the top to 
accept that traffic. For example, if you trust all traffic coming from 
inside your network that is destined for the outside and want to pass 
that traffic without testing for all those tcp flags (and any other 
rules), you could do something like:

-A Forward -p all -i LAN-NIC -o INET-NIC -j ACCEPT