All deployments
The following rules are optional and can be used to enhance the security of your Content Gateway deployment.
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTIn addition to the above rules, it is a best practice to increase the size of nf_conntrack_max to 100000 to improve performance. Set the size after iptables is started.
- To check the setting, use: /sbin/sysctl -p
- To set the value, use:
/sbin/sysctl net.nf_conntrack_max=100000
- If you get the error “net.nf_conntrack_max” is an unknown key, you need to add the ip_conntrack module to the kernel. Use the command:
modprobe ip_conntrack
The nf_conntrack_max value is not be preserved after reboot unless you configure your system to set the value at startup. To do so, add the following line to /etc/sysctl.conf:
net.nf_conntrack_max=100000
The next group of rules are important for general system security and should be entered immediately after the above rules:
iptables -I INPUT -i lo -j ACCEPT
iptables -I INPUT -i internal -j ACCEPT
iptables -i <MGMT_NIC> -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -i <MGMT_NIC> -I INPUT -p ICMP -j ACCEPT