[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Mike 1100100 at gmail.com
Thu Jun 30 22:19:55 UTC 2016


Thank you very much for the response.
Great example following through on the premise.
It sounds like I need to have a better understanding of the traffic
patterns on my network to know the optimal order for iptables
filtering rules.

My brief example -

Premise:  I want to limit outsiders from interfering with LAN client machines.
So, I have the following rules regarding forwarding traffic:

-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
-A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
-A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
-A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A FORWARD -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A FORWARD -i LAN-NIC -s -o INET-NIC -m state --state
-A FORWARD -i INET-NIC -o LAN-NIC -d -m state --state

But I don't know if this is interfering with, or delaying DNS requests
between LAN clients and the DHCP server.

More information about the CentOS mailing list