I have been setting up stateful firewalls on various machines at home using iptables for over a year now, following the guide on the Arch Wiki: https://wiki.archlinux.org/title/Simple_stateful_firewall
I would now like to learn how to tighten security even more by not setting the OUTPUT chain policy to ACCEPT. I want to allow only that which I need, following the philosophy of least privilege or default to deny, if you will. https://www.youtube.com/watch?v=aP8j9dgpAs0
Question: is it as simple as copy-pasting the rules for the INPUT chain into the OUTPUT chain, reversing the “-s/–source” options to “-d/–destination” and changing ESTABLISHED states to NEW? My guess is… Probably not? Because I would need to add ports 80 and 443 for web browsing, for starters, right? And also any outgoing port for my torrent client? And any port that I have chosen for my ssh server? Do I need to add the loopback interface there too?
Any guidance and referral to further reading would be appreciated! Unsolicited advice to use the newer front end nftables is… Well, not sought for at this moment
Does the firewall on Linux work like Windows where you allow/block by process or executable name? Because that will stop malware or apps connecting to places you don’t like.
Not with the front end
iptables. Linux can filter packets based on their source and destination IP, port and MAC address. It can also filter packets based on their state, bring NEW,ESTABLISHED, RELATES,INVALID and UNTRACKED. You can check what processes are establishing connections with for instancessorlsof -iand what commands or binaries/executables stand for those processes with for instanceps.I know of no userland utility with which one could specify processes, command names or binaries/executables to block. Which might seem like a hassle from a Windows perspective, but the level of control that you achieve with Linux’s packet filtering is neat and it has taught loads about how networking and the Internet works. :)