I'm writing up a bash script with iptables. Thus far my strategy has been to separate different services into sections that can be switched "on" or "off" at the top of the script. My question is whether it is a performance advantage to separate tcp,udp and icmp traffic near the top of the script to chains handling tcp-input, tcp-output, udp-input.... and so on. If so, what do I do with rules that have "all" as protocol (or none given)? Do I need to have a RETURN rule at the end of each chain? In addition, should I separate the different interfaces also? That would give chains like this: tcp-input-eth0, tcp-input-eth1... etc. Regards, Eirik Thorsnes
