Re: [CENTOS ]IPTABLES - How Secure & Best Practice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Ned,

Thank you very much for the response.
Great example following through on the premise.
It sounds like I need to have a better understanding of the traffic
patterns on my network to know the optimal order for iptables
filtering rules.

My brief example -

Premise:  I want to limit outsiders from interfering with LAN client machines.
So, I have the following rules regarding forwarding traffic:

-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
-A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
-A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
-A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A FORWARD -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i LAN-NIC -s 10.100.100.0/24 -o INET-NIC -m state --state
NEW -j ACCEPT
-A FORWARD -i INET-NIC -o LAN-NIC -d 10.100.100.0/24 -m state --state
NEW -j ACCEPT

But I don't know if this is interfering with, or delaying DNS requests
between LAN clients and the DHCP server.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux