[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Fri Jul 1 13:55:03 UTC 2016
Mike <1100100 at gmail.com>

On Fri, Jul 1, 2016 at 2:16 AM, Ned Slider <ned at unixmail.co.uk> wrote:
> Try running:
> iptables -nv -L

Much sunlight awakening crusty synapses here. :-)

> The first thing I would do is move your ESTABLISHED,RELATED rule to the top
> of the chain. Once you've accepted the first packet you may as well accept
> the rest of the stream as quickly and efficiently as possible as you've
> established the connection is not malicious.

Yes - this is by far the rule with the most packets and bytes.
The rule goes to the top.

> What is the default policy for the FORWARD table?

Probably a little paranoid, but all my filter policies are "DROP"

> For example, if you trust all traffic coming from inside your
> network that is destined for the outside and want to pass that traffic
> without testing for all those tcp flags (and any other rules), you could do
> something like:
> -A Forward -p all -i LAN-NIC -o INET-NIC -j ACCEPT

I'm definitely going to test a few different configurations.
Your input is really appreciated; great nudge!

Best regards,