Reduce firewall rules by half - one iptables rule for tcp and udp
Create a new chain which will accept any TCP and UDP packets, and jump to that chain from the individual IP/port permissive rules:
iptables -N ACCEPT_TCP_UDP
iptables -A ACCEPT_TCP_UDP -p tcp -j ACCEPT
iptables -A ACCEPT_TCP_UDP -p udp -j ACCEPT
iptables -A zone_lan_forward -d 1.2.3.0/24 -j ACCEPT_TCP_UDP
This adds the overhead of a few extra lines, but halves the number of TCP / UDP rules.
I would not omit the -p
argument, because you're not only opening up the firewall for ICMP, but also any other protocol. From the iptables man page on -p
:
The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed.
You may not be listening on any protocols except for TCP, UDP, and ICMP right now, but who knows what the future may hold. It would be bad practice to leave the firewall open unnecessarily.
Disclaimer: The iptables commands are off the top of my head; I don't have access to a box on which to test them ATM.
If you don't really care about ICMP traffic (which you can block globally with a rule anyway), you can just omit the -p flag and it'll cover all the protocols.