Building an Ubuntu Router Part 4 - High Performance Firewall

Publicado en

High Performance Firewall

To accelerate some ports you can put this in the top of FORWARD chain:

1
2
3
4
sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -p icmp -o enp0s8 -j ACCEPT
sudo iptables -A FORWARD -p tcp -m multiport --dports 80,443,110,53 -j ACCEPT  # FAST FAST FAST 
sudo iptables -A FORWARD -p udp  --dport 53 -j ACCEPT

This mean:

  • The packets incoming will pass only 1 rule if it is an establish connection
  • The packet incoming will pass 2 rules if is a ping or similar
  • The packet will pass 3 rules if is http, mail or similar
    and the DNS request will pass 3 o 4 rules until go out
  • The outgoing virus will KILL our machine, and we not need to share “windows” conversations so, kill them!!!!
1
2
3
4
sudo iptables -A FORWARD -p tcp --dport 135:139 -j DROP
sudo iptables -A FORWARD -p tcp --dport 445 -j DROP
sudo iptables -A FORWARD -p udp --dport 135:139 -j DROP
sudo iptables -A FORWARD -p udp --dport 445 -j DROP

Save changes iptables

1
sudo dpkg-reconfigure iptables-persistent

You will need to answer yes to the questions.

Increase the threshold memory

Type this and read:

1
2
3
4
5
6
~$ cat /proc/sys/net/ipv4/neigh/default/gc_thresh1 
128
~$ cat /proc/sys/net/ipv4/neigh/default/gc_thresh2 
512
~$ cat /proc/sys/net/ipv4/neigh/default/gc_thresh3 
1024

Next you can put this in the /etc/sysctl.d/99-sysctl.conf

1
sudo nano /etc/sysctl.d/99-sysctl.conf

Add this lines:

1
2
3
net.ipv4.neigh.default.gc_thresh1 = 512
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048

Decrease TCP connection timeouts

Add these lines at the end of the same file.

1
2
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=1200
net.ipv4.netfilter.ip_conntrack_udp_timeout=30

Disable ipv6

in the same file 99-sysctl.conf add this lines.

1
2
3
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Increase the conntrack table size

Increase the conntrack table size put some similar to the 99-sysctl.conf file.

1
net.netfilter.nf_conntrack_max = 1048576

Reload configuration with this command:

1
sudo sysctl -p

References

https://wiki.archlinux.org/index.php/High_Performance_Firewall

https://blogs.it.ox.ac.uk/networks/2014/08/21/linux-and-eduroam-building-for-speed-and-scalability/

networking
© 2020 Juvenal Yescas All Rights Reserved.
Theme by hiero