# Iptables efficiency question

## nephros

Hi.

I am revamping my firewall scripts right now and have a question about how to efficiently write iptables rules.

What I'm doing is this:

Everything from $EXTERNAL_NIC goes into a custom chain called INPUT_EXT.

In this input chain I let the packages travel through other chains doing syn-flood protecting. Something like this:

iptables -N INPUT_EXT

iptables -A INPUT -i $EXTERNAL_NIC -m state --state NEW -j INPUT_EXT

iptables -N SYNFLOOD

iptables -A SYNFLOOD [do something]

iptables -A SYNFLOOD -j RETURN

I also have some ports I want to accept connections to (ssh et. al. obviously):

$SERVICES="22 80 8080"

for p in $SERVICES do;

  iptables -A INPUT_EXT -p tcp --dport $p -j ACCEPT

done

Here comes the question:

Is it more efficient to:

a) Do -j SYNFLOOD for ALL packages, and later decide to accept specific ports and drop the others:

```

iptables -N INPUT_EXT

iptables -A INPUT -i $EXTERNAL_NIC -m state --state NEW -j INPUT_EXT

iptables -N SYNFLOOD

iptables -A SYNFLOOD [do something]

iptables -A SYNFLOOD -j RETURN

iptables -A INPUT_EXT -j SYNFLOOD

$SERVICES="22 80 8080"

for p in $SERVICES do;

  iptables -A INPUT_EXT -p tcp --dport $p -j ACCEPT

done

iptables -A INPUT_EXT -j DROP

```

or b) Do -j SYNFLOOD only for packages which will be accepted later in the $SERVICES loop:

```

iptables -N INPUT_EXT

iptables -A INPUT -i $EXTERNAL_NIC -m state --state NEW -j INPUT_EXT

iptables -N SYNFLOOD

iptables -A SYNFLOOD [do something]

iptables -A SYNFLOOD -j RETURN

$SERVICES="22 80 8080"

for p in $SERVICES do;

  iptables -A INPUT_EXT -p tcp --dport $p -j SYNFLOOD

  iptables -A INPUT_EXT -p tcp --dport $p -j ACCEPT

done

iptables -A INPUT_EXT -j DROP

```

Note that my actual setup is a more complicated, as I have not only the SYNFLOOD chain but three more, doing some tailored logging, portscan detection etc., this in total amounts to about 60 lines of rules.

What it boils dow to is: Is it better to have less rules in total, or more rules which only get checked under specific conditions?

----------

## adaptr

Syn flood protection is handled extremely well with kernel syncookies; no need to apply extra filter rules just for that.

I assume you mean to implement some form of burst control on that chain, like one would do to limit the frequency of IMCP echo requests.

It is a good idea for ICMP and the like, but typically not needed for true TCP connections - the kernel will handle that quite well on its own.

You question is in general unanswerable, since it all depends on the complexity of the rules.

I can pretty much guarantee that applying one string match regexp rule will eat up much more processing than a dozen simple source address filters  :Wink: 

If you do want a more general rule, it is always advisable to apply filter rules from largest target group to smallest target group.

This means you would do the global flood protection first, and then specify which ports you want to allow.

----------

## nephros

 *adaptr wrote:*   

> ...

 

Very well. Thank you.

And you were right, was I called Synflood above is actually mostly about ICMP.

----------

