On 30/06/16 23:19, Mike wrote:
Ned,
Thank you very much for the response.
Great example following through on the premise.
It sounds like I need to have a better understanding of the traffic
patterns on my network to know the optimal order for iptables
filtering rules.
Try running:
iptables -nv -L
which will show you in the left hand column a counter for the number of
packets that has matched each rule. That will give you an exact
breakdown of how often your rules are being hit.
My brief example -
Premise: I want to limit outsiders from interfering with LAN client machines.
So, I have the following rules regarding forwarding traffic:
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
-A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
-A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
-A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
-A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
-A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
-A FORWARD -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
-A FORWARD -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i LAN-NIC -s 10.100.100.0/24 -o INET-NIC -m state --state
NEW -j ACCEPT
-A FORWARD -i INET-NIC -o LAN-NIC -d 10.100.100.0/24 -m state --state
NEW -j ACCEPT
The first thing I would do is move your ESTABLISHED,RELATED rule to the
top of the chain. Once you've accepted the first packet you may as well
accept the rest of the stream as quickly and efficiently as possible as
you've established the connection is not malicious.
What is the default policy for the FORWARD table? Assuming it is accept
then the last two accept rules can be removed.
But I don't know if this is interfering with, or delaying DNS requests
between LAN clients and the DHCP server.
The FORWARD chain only processes packets being router through the
machine, so in your case that would be packets from the lan destined for
the wan, or packets from the wan destined to the lan. All internal lan
traffic such as dns requests from clients to the dchp server are
internal and not subject to the FORWARD chain. Of course the dhcp server
probably forwards those dns requests to a dns server outside of the lan
so those requests will pass through the FORWARD chain at that point.
Assuming your hardware is not crippled or the cpu constantly overloaded,
it's not going to have any problems routing traffic through your rule
set. But if you want to ensure particular traffic is processed quickly
and bypasses all other rules, place a rule matching it near the top to
accept that traffic. For example, if you trust all traffic coming from
inside your network that is destined for the outside and want to pass
that traffic without testing for all those tcp flags (and any other
rules), you could do something like:
-A Forward -p all -i LAN-NIC -o INET-NIC -j ACCEPT
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
