On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer <gordon.messmer at gmail.com> wrote: > > By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're > applying additional processing (CPU time) to the vast majority of your > packets for no reason. The "E,R" rule should be first. It won't match the > invalid packets you're trying to drop. > > You're not specifying the "new" state in any of your input ACCEPT rules, > which means that you're also ACCEPTing invalid packets that don't match the > handful of invalid states you DROPped earlier. > >> 1. The drop commands at the beginning of each chain is for increase >> performance. > > > I understand what you're trying to do, but in the real world, this will > decrease performance. > Gordon, I appreciate your observations. I've been using iptables for a long time and still don't really know how to configure the order of rules to optimize performance while providing thorough filtering as a component of security. Can you share links and/or other sources and guides on this subject. Thank you.