[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Thu Jun 30 17:49:21 UTC 2016
Mike <1100100 at gmail.com>

On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer
<gordon.messmer at gmail.com> wrote:
> By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're
> applying additional processing (CPU time) to the vast majority of your
> packets for no reason.  The "E,R" rule should be first.  It won't match the
> invalid packets you're trying to drop.
> You're not specifying the "new" state in any of your input ACCEPT rules,
> which means that you're also ACCEPTing invalid packets that don't match the
> handful of invalid states you DROPped earlier.
>>     1. The drop commands at the beginning of each chain is for increase
>>     performance.
> I understand what you're trying to do, but in the real world, this will
> decrease performance.


I appreciate your observations.
I've been using iptables for a long time and still don't really know
how to configure the order of rules to optimize performance while
providing thorough filtering as a component of security.
Can you share links and/or other sources and guides on this subject.

Thank you.