>> Is it possible to DROP all those IP's in one rule? ( I don't >>need to log them since they are invalid anyway ) > > >Ideally this is done for you with /proc/sys/net/ipv4/conf/*/rp_filter == 1 >or 2. Basically it says that if a packet enters the interface with an ip >address that is not on the subnet associated with it, then just drop the >packet. That said, I don't see how these rules would seriously determent >performance that much. Well I've made an script to enable this on a specific run level and I've added this: echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter It was on the packet filter how-to:) > 3. This is defining priority ports? Like shaping the traffic? > >yes > >> 3. Since all my traffic from intranet to gateway loc2fw chain >>it's from trusted ip's ( it's from me or any member of my famely ), >>that's one of the things I can remove, anyone has any other advice or >>improvent to the listo f rules I've bellow? > >If you are memory bound, these will not help you much. If your memory is >really the contention, then try lowering the timeouts for things like >established or unreplied connections, etc.. these things are what takes up >the memory. I've seen a comment on some forum that iptables "eats" lots of memory, so on old computers the scripts should be optimized. Anyway scripts should be optimized on any computer I guess. Thanx for your advice I'll dig on that. António Godinho
