I have been setting up stateful firewalls on various machines at home using iptables for over a year now, following the guide on the Arch Wiki: https://wiki.archlinux.org/title/Simple_stateful_firewall

I would now like to learn how to tighten security even more by not setting the OUTPUT chain policy to ACCEPT. I want to allow only that which I need, following the philosophy of least privilege or default to deny, if you will. https://www.youtube.com/watch?v=aP8j9dgpAs0

Question: is it as simple as copy-pasting the rules for the INPUT chain into the OUTPUT chain, reversing the “-s/–source” options to “-d/–destination” and changing ESTABLISHED states to NEW? My guess is… Probably not? Because I would need to add ports 80 and 443 for web browsing, for starters, right? And also any outgoing port for my torrent client? And any port that I have chosen for my ssh server? Do I need to add the loopback interface there too?

Any guidance and referral to further reading would be appreciated! Unsolicited advice to use the newer front end nftables is… Well, not sought for at this moment

  • dgdft@lemmy.worldEnglish
    4·
    1 day ago

    Been a minute since I touched iptables, but IIRC, not quite that simple.

    You’d want to allow outbound connections to destination ports of 80/443/22 and then also allow responses from any established connection (because the server replies won’t likely be going back to your port 80/443/22 as their dest). Unless you’re running dns over https across your whole system, you’ll need to allow that too.

    Nothing against doing things the hard way, but you might like OpenStitch if you’re looking to control traffic in a practical manner.

    • SteveTech@aussie.zone
      4·
      14 hours ago

      also allow responses from any established connection

      You shouldn’t need to as iptables is stateful, you would need to for stateless firewalls though.

      You’d also need to open UDP 123 for NTP, I see that mistake a lot.