iptables - suggested improvements?
Hi, I was hoping I could get some feedback on improving my iptables for CentOS. I've struggled to get it this far, and I'm having one particular problem (dropping all forwards with one exception). In any case, I thought I would post it here in the hopes of getting some feedback, both in terms of the final product but also the journey of learning it.
The below is in a file, firewall.sh. Thanks a ton for any improvements, suggestions, or comments! Code:
|
You could move frequently matched rules to the top of the file. In particulsr I'd move the loopback rule and the state match to the top of the INPUT chain. It will have a positive effect on routing performance and/or CPU load.
The "-m state" match and the related "--state" parameter is deprecated and should be changed to "-m conntrack" and "--ctstate" respectively (provided your iptables executable is reasonably recent). You should definitely change the FORWARD policy to DROP and add any necessary rules to allow VPN traffic instead. |
Ok, thanks a ton for the feedback, I've taken some of your suggestions. The conntrack and cstate didn't work with my version of IPTables however, unfortunately. I've since done the following:
Code:
#!/bin/bash |
I can cannot fine to my VPN server now, that's fantastic. But I cannot connect through it to the internet - what am I not seeing with the lastest iptables configuration? It must be something with forwarding, but what am I doing wrong?
Thanks! |
I should close out this post as "solved" with the help I received. I also wanted to point out the (admittedly embarassing) error that I made that prevented me from connecting to the internet through my VPN, especially because it's been a while since I determined the mistake. I wanted to post in case someone else runs into the same error.
I was routing to eth0, when in fact it should have been to eth4.... Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth4 -j MASQUERADE |
All times are GMT -5. The time now is 10:36 AM. |