Netfilter/iptables firewall settings (next)

If there's too many things to keep track of,

The network to which my firewall is connected is also attached to the DHCP server. If you use the above recording method, each DHCP packet must be logged. Because of the DHCP transport, the network is very busy, so it will make a lot of unnecessary information in the record. So before I set the rules for recording, I inserted the following rules:

iptables -A INPUT -i $IF_PUB -p udp --sport bootps -j DROP

This sentence causes the system to discard all UDP transmissions from the DHCP source port. Add this rule before the record to remove the DHCP transport from the record range. If there are other transmissions that interfere with your records and have nothing to do with what you are listening to, add similar rules before logging the rules.

Before applying policy

The next paragraph of my script reflects the philosophical issues I mentioned above. If the rule is no longer added, the remaining packets will satisfy the filter chain policy and are discarded. But I have opened the port on the router, so even discarding the remaining packets will not affect the entire process. This is part of the reason I allow ping. Therefore, I also choose to be a good TCP shunmin:

iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

Any remaining TCP protocol packets will be rejected and the sender will receive a TCP Reset message (RST). This is the normal response of the TCP protocol when connecting to a port that does not have a listening service.

After that, all the remaining packages are handled and discarded by policy. I should also add a rule to handle UDP in a similar standard way: Returns a message that an ICMP port cannot reach.

To intercept a particular problem source

You may find that your firewall or other records show that your host is being accessed repeatedly by some hosts in ways that are not allowed. For example, there may be a host that uses a request that your host does not have to spy on your Web server. Mail filtering can handle many unsolicited transmissions from some source. You can say that you can intercept them with netfilter. The price is that these sources will not be able to use your service properly. I think this price can endure, after all, these sources are trying to attack me.