Skip to content

Instantly share code, notes, and snippets.

@Thermi Thermi/Best Practices.md
Last active Mar 2, 2019

Embed
What would you like to do?
Summary page of the Netfilter related resources

Best Practices:

  1. Don't use iptables to apply your rules one at a time, use iptables-restore to apply a whole ruleset in one action.
  2. Set your INPUT and FORWARD policy to DROP.
  3. Don't set your OUTPUT policy to DROP unless you really know what you're doing.
  4. If you're going to implement a blacklist or whitelist, you should look at using ipsets if that list is going to be more than two or three addresses, and if it might be dynamic.
  5. Allow all traffic on lo.
  6. You should ALLOW traffic in ctstates of RELATED and ESTABLISHED near the beginning of your rules
  7. Don't use iptables -L
  8. DON'T USE IPTABLES -L
  9. Use iptables-save instead of iptables -L.
  10. Don't use ifconfig or any of the net-tools.
  11. Use iproute2 (ip address, ip link, ip route, ip rule, ...)
  12. Always read the man pages that are installed on the system you're trying to use the corresponding software on.
Missing critical features from nftables:
1. XFRM policy lookup
2. ???
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.