Question in iptables rule efficiency and appropriateness
by haertig from LinuxQuestions.org on (#6D387)
Question on the appropriateness/efficiency of a complex iptables rule...
Say I have three laptops, connected via VPN, that I want to allow to access three IP cameras, on three different ports. Would a couple of smaller rules be better than one big rule?
e.g., Below is an example of the "big rule" I speak of (multiple source IPs, multiple destination IPs, multiple ports). ESTABLISHED/RELATED packets have already been allowed previously. The VPN'ed laptops have fixed IPs assigned via OpenVPN/CCD and the cameras have fixed IPs via DHCP reservation.
Code:iptables -A FORWARD -i tun21 -m state --state NEW -s $LAPTOP1,$LAPTOP2,$LAPTOP3, -d $CAM1,$CAM2,$CAM3 --match multiport -dports $HTTP_PORT,$HTTPS_PORT,$RTSP_PORT -j ACCEPTThe above rule covers a bunch of different combinations. Is this considered good or bad practice? Is the above rule going to be faster or slower than a bunch of individual rules?
Also, is there any benefit (speed or security) to "tightening" the rule any further with things like "-p tcp" and/or "-o br1"? The cameras are on a different network "br1", but their specific IP addresses that were already mentioned in the rule pretty much covered that. Similarly, I don't see any great need to specify TCP protocol only, because the rule is already locked to the specific camera IPs, and the cameras aren't going to respond to UDP anyway. So I don't see how over-specifying stuff gains you any functional difference ... but what about efficiency? Maybe specifying the seemingly redundant TCP could allow the rule to jump out of processing sooner and therefore make it more efficient.
Thanks in advance for any advice on this.
Say I have three laptops, connected via VPN, that I want to allow to access three IP cameras, on three different ports. Would a couple of smaller rules be better than one big rule?
e.g., Below is an example of the "big rule" I speak of (multiple source IPs, multiple destination IPs, multiple ports). ESTABLISHED/RELATED packets have already been allowed previously. The VPN'ed laptops have fixed IPs assigned via OpenVPN/CCD and the cameras have fixed IPs via DHCP reservation.
Code:iptables -A FORWARD -i tun21 -m state --state NEW -s $LAPTOP1,$LAPTOP2,$LAPTOP3, -d $CAM1,$CAM2,$CAM3 --match multiport -dports $HTTP_PORT,$HTTPS_PORT,$RTSP_PORT -j ACCEPTThe above rule covers a bunch of different combinations. Is this considered good or bad practice? Is the above rule going to be faster or slower than a bunch of individual rules?
Also, is there any benefit (speed or security) to "tightening" the rule any further with things like "-p tcp" and/or "-o br1"? The cameras are on a different network "br1", but their specific IP addresses that were already mentioned in the rule pretty much covered that. Similarly, I don't see any great need to specify TCP protocol only, because the rule is already locked to the specific camera IPs, and the cameras aren't going to respond to UDP anyway. So I don't see how over-specifying stuff gains you any functional difference ... but what about efficiency? Maybe specifying the seemingly redundant TCP could allow the rule to jump out of processing sooner and therefore make it more efficient.
Thanks in advance for any advice on this.