Hello, I wonder which one is safer and/or more efficient?
Currently when I need to allow something through the firewall I use: iptables --append FORWARD --in-interface eth1 --out-interface eth0 --protocol tcp --destination $WEBSERVER --dport 80 -m state --state NEW,ESTABLISHED,RELATED --jump ACCEPT and for the opposite iptables --append FORWARD --in-interface eth0 --out-interface eth1 --protocol tcp --source $WEBSERVER --sport 80 -m state --state ESTABLISHED,RELATED --jump ACCEPT I think instead of using RELATED,ESTABLISHED for every particular rule, I could put one at the beginnig ### for invalid packets iptables --append FORWARD --in-interface eth0 --out-interface eth1 --protocol tcp INVALID --jump LOG --log-prefix "FW invalid" iptables --append FORWARD --in-interface eth0 --out-interface eth1 --protocol tcp INVALID --jump DROP ## for established and related connections iptables --append FORWARD --in-interface eth0 --out-interface eth1 --protocol tcp -m state --state RELATED,ESTABLISHED --jump ACCEPT and then only NEW,RELATED, ESTABLISHED This way I would have less ESTABLISHED,RELATED rules in the chain. And only have one at the beginning. Does it have any drowbacks? What about UDP, ICMP etc. Can I use the same connection tracking for those protocol type packets? Maybe you can point out some docs for efficient firewalling with iptables. Best regards. Erdal MUTLU
