Need Good Ideas on Forward and Output Chains

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've seen some good policies for INPUT chains. However, what are
typically some good ideas these days to have on Forward and Output
Chains in iptables if you're on cable modem behind a cable modem NAT
router/firewall and you just want extra protection on your workstation?
The type of malicious activity that I imagine would go across the
Forward and Output chains would be something already on the system, put
there maliciously by something like an email or web page exploit.

The only activity I really do across the Internet are dhcp, ping,
typical home user DNS query, Cisco vpn, email, web, ftp, ssh, and irc
on the usual range of ports. All other tcp or udp port activity to the
Internet is not really necessary for me in this case and I want to shut
that down.

Of course, if/when a virus has hit my system through an exploit, I'm
aware that it can go out via the well-known ports like 80, 443, etc.
I'm just trying to block all the other port activity to shut down
viruses written by blooming idiot type virus writers who don't know to
use well-known ports for sending data back out.

Sure, if I detect a virus, I'm fairly hosed, anyway, but those vital
few minutes or hours before I detect it are important -- every minute
lost is another potential identity theft problem.

Re: Need Good Ideas on Forward and Output Chains wrote:
Quoted text here. Click to load it

You've pretty much described what you want. Prefix it with iptables -P
OUTPUT DROP, and you're good to go.

Use something like iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT for
the rest; don't forget incoming rules (iptables -A INPUT -p tcp --sport
-m state --state ESTABLISHED -j ACCEPT).

Forwarding is more tricky, but you only use it when the system is used
as a firewall for other machines, anyway (i.e., not for local traffic,
normally). Do you do that?


Re: Need Good Ideas on Forward and Output Chains

Joachim Schipper wrote:
Quoted text here. Click to load it

Thanks. This was useful to me, as well as your comments on the other
thread regarding Cisco VPN connections. I will make an adjustment.

I also found that lokkit, cat /etc/default/lokkit, and a good book can
be a good primer to learning how to make your average, input-filter
type of firewall script.

Also, you are right. I don't use any forwarding.

Although I'm not a fan of Python, I've been messing with Glade-2 and
Python/PyGTK to make a control panel that does what lokkit does, so
your comments may influence a project I put up on SourceForge for
others to improve. The GNOME tools for firewall management are a bit
out of date. I'm calling the project "lokset". I've also written
"gvpnc", a GNOME front-end to vpnc, which I hope to polish and have up
there soon too. (I like to try my stuff out on me for awhile before I
put it up there.)

Thanks for being kind enough to reply, Joachim.

Site Timeline