iptables

Kenneth Burgener kenneth at mail1.ttak.org
Thu Oct 21 08:31:42 MDT 2010


----------------
Date: 10/21/2010 6:35 AM
From: Stuart Jansen <sjansen at buscaluz.org>
 > Here's what I would do based on your current rules:
 >
 > *filter
 > :INPUT DROP [1783:108550]
 > :FORWARD DROP [0:0]
 > :OUTPUT ACCEPT [133532:10424922]
 > -A INPUT -i lo -j ACCEPT
 > -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 
5/sec -j ACCEPT
 > -A INPUT -p icmp -j ACCEPT
 > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 > ...



I am always confused why the RELATED,ESTABLISHED rule is not the first 
entry on the list (Red Hat's defaults don't make sense to me).  It would 
seem to me that established traffic (99.9999999% of traffic) should be 
accepted as quickly as possible.  Why make EVERY packet you receive be 
matched against the loop back and icmp?  This is the one modification I 
would make:


  *filter
  :INPUT DROP [1783:108550]
  :FORWARD DROP [0:0]
  :OUTPUT ACCEPT [133532:10424922]
  -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p icmp -m icmp --icmp-type echo-request -m limit --limit 
5/sec -j ACCEPT
  -A INPUT -p icmp -j ACCEPT
  ...


Is there a logical reason why not to have it this way?


Kenneth



More information about the PLUG mailing list