Thursday, September 10, 2009

Re: [BLUG] IPtables (don't forget IPv6!)

If you're using iptables by hand, you need to either (1) block all IPv6
traffic, or (2) perform similar blocks on the IPv6 side.

I'm a big fan of using other products to make it more painless to manage
firewalls. (There's a potential replacement to iptables *and* iptables6,
and if/when things change I don't want to deal with it.)

I've been just disabling IPv6, but that was purely a short-term solution
until the firewall product I use supported IPv6.

My product of choice is currently Shorewall. It has the advantage of
also running on my Linksys wireless router. Current versions support
both IPv4 and IPv6.

Cheers,
Steven Black


On Thu, Sep 10, 2009 at 02:56:08PM +0000, Mark Krenz wrote:
>
> I've never done any tests to see what is most efficient, but if you
> have a large number of drops for a specific port, it might be useful to
> send a single port to its own chain, then deal with the drops for more
> specific hosts and networks in that chain. So if you had a seperate
> chain for port 80, packets destined for port 25 or whatever would skip
> over checking all the port 80 rules.
>
> So something like this:
>
>
> /sbin/iptables -N port80
> /sbin/iptables -A port80 -s 64.1.2.3/32 -d 0/0 -j DROP
> /sbin/iptables -A port80 -s 24.5.6.0/24 -d 0/0 -j DROP
> /sbin/iptables -A port80 -s 10.0.0.0/8 -d 0/0 -j DROP
> /sbin/iptables -A port80 -s 0/0 -d 0/0 -j ACCEPT
>
> /sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 80 -j port80
> /sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j DROP
>
>
>
> So I think now that port 25 packets will only have to check 2 rules
> instead of 5 because they won't have to go through the chain of port 80
> rules. Now I'm curious to see how much of a difference it makes. I'll
> have to test it.
>
>
> On Thu, Sep 10, 2009 at 02:23:10PM GMT, Scott Blaydes [sblaydes@gmail.com] said the following:
> > Okay, I am starting to get into some really long DROP lists in my
> > IPtables config and was wondering what others on the list thought
> > about best placement of the DROPs vs ACCEPTs. Do you have your drops
> > early in the file so that they blocks IPs get denied as quickly as
> > possible or do you have your allows earlier in the file?
> >
> > Is one way really more efficient than the other?
> >
> > Thank you,
> > Scott Blaydes

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Posted by at No comments:

Re: [BLUG] IPtables

I've never done any tests to see what is most efficient, but if you
have a large number of drops for a specific port, it might be useful to
send a single port to its own chain, then deal with the drops for more
specific hosts and networks in that chain. So if you had a seperate
chain for port 80, packets destined for port 25 or whatever would skip
over checking all the port 80 rules.

So something like this:


/sbin/iptables -N port80
/sbin/iptables -A port80 -s 64.1.2.3/32 -d 0/0 -j DROP
/sbin/iptables -A port80 -s 24.5.6.0/24 -d 0/0 -j DROP
/sbin/iptables -A port80 -s 10.0.0.0/8 -d 0/0 -j DROP
/sbin/iptables -A port80 -s 0/0 -d 0/0 -j ACCEPT

/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 80 -j port80
/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 0/0 -d 0/0 -j DROP

So I think now that port 25 packets will only have to check 2 rules
instead of 5 because they won't have to go through the chain of port 80
rules. Now I'm curious to see how much of a difference it makes. I'll
have to test it.


On Thu, Sep 10, 2009 at 02:23:10PM GMT, Scott Blaydes [sblaydes@gmail.com] said the following:
> Okay, I am starting to get into some really long DROP lists in my
> IPtables config and was wondering what others on the list thought
> about best placement of the DROPs vs ACCEPTs. Do you have your drops
> early in the file so that they blocks IPs get denied as quickly as
> possible or do you have your allows earlier in the file?
>
> Is one way really more efficient than the other?
>
> Thank you,
> Scott Blaydes
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

--
Mark Krenz
Bloomington Linux Users Group
http://www.bloomingtonlinux.org/
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Posted by at No comments:

[BLUG] IPtables

Okay, I am starting to get into some really long DROP lists in my
IPtables config and was wondering what others on the list thought
about best placement of the DROPs vs ACCEPTs. Do you have your drops
early in the file so that they blocks IPs get denied as quickly as
possible or do you have your allows earlier in the file?

Is one way really more efficient than the other?

Thank you,
Scott Blaydes
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Posted by at No comments:
Subscribe to: Posts (Atom)