Discussion:
IPtables bash script
Ralph Sanchez
2016-05-22 23:30:07 UTC
Permalink
Hello All, I have taken up to writing this bash script to change my
iptables rules. It seems the only issue I've found is that it seems to
not want to connect to certain websites at some moments and not
others, or generally but sometimes it let's it through without
changing anything. This completely stops if I add RELATED to my OUTPUT
ACCEPT next to NEW, just not sure how that impacts security exactly.

Also, any advice on making this script better, or stronger per
secuirty, would be appreciated as this is both my first time scripting
in bash from scratch and my first IPTABLES venture.

Oh, and don't mind the echo lines, those are solely for my
entertainment upon running.

#!/bin/sh

IPT=/sbin/iptables
IP6=/sbin/ip6tables
echo "[+] ENTRY PLUG EJECTED,
READY FOR PILOT ENTRY"
read OK

echo " $OK ENTRY PLUG
INSERTION COMPLETE"

echo "[+] Flooding the cockpit with LCL. Don't try and hold your
breath, just breath normal. It's weird at first, but you'll get used
to it "

$IPT -F

$IPT -F -t nat

$IPT -X

echo "[+] Synch ratio 99%, within permissable parameters..."

$IP6 -P INPUT DROP

$IP6 -P FORWARD DROP

$IP6 -P OUTPUT DROP

$IPT -P INPUT DROP

$IPT -P FORWARD DROP

$IPT -P OUTPUT DROP
## INPUT Rules ###

echo "[+] AT Field is active, moving EVA UNIT 1 to elevator 24..."

$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix
"INVALID_DROPS" --log-ip-options --log-tcp-options

$IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix
"NEW_DROPS" --log-ip-options --log-tcp-options

$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP

$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP

$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT --in-interface lo -j ACCEPT

$IPT -A INPUT -p tcp --dport 443 -j ACCEPT

$IPT -A INPUT -p tcp --dport 80 -j ACCEPT

## FORWARD Rules ##

#$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix
"INVALID_FORWARD" --log-ip-options --log-tcp-options

#$IPT -A FORWARD -i lo -j ACCEPT

#$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP

#$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## OUTPUT Rules ##

echo "[+] It's up to you now, Shinji..."

$IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL Loopback traffic

$IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only allow NEW
connection outbound.

$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner
--uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and HTTPS

$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound https

$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound http (DO
NOT LEAVE ACTIVE!)

$IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL root requests
Jonathan Plews
2016-05-23 07:00:42 UTC
Permalink
I'm not saying knowing iptables is bad, but Shorewall is much
better than these kind of things.

I think you may have some unlogged drops, that'd be the first
thing to check.
Post by Ralph Sanchez
Hello All, I have taken up to writing this bash script to
change my iptables rules. It seems the only issue I've found is
that it seems to not want to connect to certain websites at
some moments and not others, or generally but sometimes it
let's it through without changing anything. This completely
stops if I add RELATED to my OUTPUT ACCEPT next to NEW, just
not sure how that impacts security exactly.
Also, any advice on making this script better, or stronger per
secuirty, would be appreciated as this is both my first time
scripting in bash from scratch and my first IPTABLES venture.
Oh, and don't mind the echo lines, those are solely for my
entertainment upon running.
#!/bin/sh
IPT=/sbin/iptables
IP6=/sbin/ip6tables
echo "[+] ENTRY PLUG EJECTED, READY FOR PILOT ENTRY" read OK
echo " $OK ENTRY PLUG INSERTION COMPLETE"
echo "[+] Flooding the cockpit with LCL. Don't try and hold
your breath, just breath normal. It's weird at first, but
you'll get used to it "
$IPT -F
$IPT -F -t nat
$IPT -X
echo "[+] Synch ratio 99%, within permissable parameters..."
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
## INPUT Rules ###
echo "[+] AT Field is active, moving EVA UNIT 1 to elevator
24..."
$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG
--log-prefix "INVALID_DROPS" --log-ip-options --log-tcp-options
$IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix
"NEW_DROPS" --log-ip-options --log-tcp-options
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
## FORWARD Rules ##
#$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG
--log-prefix "INVALID_FORWARD" --log-ip-options
--log-tcp-options
#$IPT -A FORWARD -i lo -j ACCEPT
#$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP
#$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
## OUTPUT Rules ##
echo "[+] It's up to you now, Shinji..."
$IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL
Loopback traffic
$IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only
allow NEW connection outbound.
$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner
--uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and
HTTPS
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound
https
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound
http (DO NOT LEAVE ACTIVE!)
$IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL root requests
d***@respiranto.de
2016-05-23 17:39:14 UTC
Permalink
Hi,

I personally do not block outbound traffic at all, which in my opinion
does not impose a significant risk.

Furthermore, I do not see a good reason to allow all NEW connections
while blocking most RELATED ones. Usually it is done the other way
round: You decide upon a NEW connection whether it shall be allowed and
then you allow all RELATED traffic to pass as well.

In general I can only recommend the guides I (mainly) used:
https://www.linode.com/docs/security/securing-your-server/
https://wiki.archlinux.org/index.php/Simple_stateful_firewall
http://serverfault.com/questions/84963/why-not-block-icmp

By the way, is this a non-server machine? If so, why do you care about
the ports 80 and 443?
Post by Ralph Sanchez
Hello All, I have taken up to writing this bash script to change my
iptables rules. It seems the only issue I've found is that it seems to
not want to connect to certain websites at some moments and not
others, or generally but sometimes it let's it through without
changing anything. This completely stops if I add RELATED to my OUTPUT
ACCEPT next to NEW, just not sure how that impacts security exactly.
Also, any advice on making this script better, or stronger per
secuirty, would be appreciated as this is both my first time scripting
in bash from scratch and my first IPTABLES venture.
Oh, and don't mind the echo lines, those are solely for my
entertainment upon running.
#!/bin/sh
IPT=/sbin/iptables
IP6=/sbin/ip6tables
echo "[+] ENTRY PLUG EJECTED,
READY FOR PILOT ENTRY"
read OK
echo " $OK ENTRY PLUG
INSERTION COMPLETE"
echo "[+] Flooding the cockpit with LCL. Don't try and hold your
breath, just breath normal. It's weird at first, but you'll get used
to it "
$IPT -F
$IPT -F -t nat
$IPT -X
echo "[+] Synch ratio 99%, within permissable parameters..."
$IP6 -P INPUT DROP
$IP6 -P FORWARD DROP
$IP6 -P OUTPUT DROP
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
## INPUT Rules ###
echo "[+] AT Field is active, moving EVA UNIT 1 to elevator 24..."
$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix
"INVALID_DROPS" --log-ip-options --log-tcp-options
$IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix
"NEW_DROPS" --log-ip-options --log-tcp-options
$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT --in-interface lo -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
## FORWARD Rules ##
#$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix
"INVALID_FORWARD" --log-ip-options --log-tcp-options
#$IPT -A FORWARD -i lo -j ACCEPT
#$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP
#$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
## OUTPUT Rules ##
echo "[+] It's up to you now, Shinji..."
$IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL Loopback traffic
$IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only allow NEW
connection outbound.
$IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner
--uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and HTTPS
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound https
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound http (DO
NOT LEAVE ACTIVE!)
$IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL root requests
d***@respiranto.de
2016-05-23 20:13:55 UTC
Permalink
Yes, this is a personal laptop. If you notice, I have default POLICY
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works,
but that's what it seemed to me and was explained in other guides and
tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
Whenever you perform an HTTP(S) request, the response should be treated
as RELATED, hence allowing all RELATED inbound traffic should suffice.
Thanks for the Advice on NEW, I haven't seen much said about it so
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
It could still connect via 80,443. However, you are right, your setup
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Thanks for the reading, that's where I'm heading now : )
Ralph Sanchez
2016-05-23 20:32:16 UTC
Permalink
Post by d***@respiranto.de
Yes, this is a personal laptop. If you notice, I have default POLICY
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works,
but that's what it seemed to me and was explained in other guides and
tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
Post by d***@respiranto.de
Whenever you perform an HTTP(S) request, the response should be treated
as RELATED, hence allowing all RELATED inbound traffic should suffice.
So, would it be better to not based any outgoing connections of
stateful connections and simply just allow it via port, since either
way the port is doing to allow both wanted traffic and possible
subversion, if malicious software passed the input? Or maybe put the
443 ACCEPT before the stateful filtering, and only allow established
state?
Post by d***@respiranto.de
Thanks for the Advice on NEW, I haven't seen much said about it so
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
It could still connect via 80,443. However, you are right, your setup
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Yeah, i wasn't sure whether i should leave those options in or just go
off stateful...see previous statement. Also, if something gain root
rights in my system, then I've got more problems then a faulty
firewall.
Post by d***@respiranto.de
Thanks for the reading, that's where I'm heading now : )
Ralph Sanchez
2016-05-23 21:28:28 UTC
Permalink
Thanks for the clarification : ) And you didn't confuse the two
explicitly, but i wasn't sure if you were advising allow NEW,RELATED/
NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
know.

I have read through quite a few manuals and online forums, although no
RFCs...I'm not really sure I know what they are even haha. I have
configured myself pretty wall, editing PAM and my sysctl.conf file
rigourously, BIOS passwording and denying USB boots without admin
access to the BIOS, as well as other various activities including
attempting to configure SELinux, which is nigh impossible to do it and
have it have any effect on Jessie right now, at least as far as me and
someone else could find.

I have noticed that DROP on invalid first actually drops more packets
then simply allowing Established, related...does this imply a packet
can have more then one state??
Post by Ralph Sanchez
Post by d***@respiranto.de
Yes, this is a personal laptop. If you notice, I have default POLICY
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works,
but that's what it seemed to me and was explained in other guides and
tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
Whenever you perform an HTTP(S) request, the response should be treated
as RELATED, hence allowing all RELATED inbound traffic should suffice.
So, would it be better to not based any outgoing connections of
stateful connections and simply just allow it via port, since either
way the port is doing to allow both wanted traffic and possible
subversion, if malicious software passed the input? Or maybe put the
443 ACCEPT before the stateful filtering, and only allow established
state?
As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in-
and outbound connections. I might have mixed up RELATED and ESTABLISHED
at little in the former emails, by the way. Apart from that, you may
block as much as you want. And I would suggest blocking any other INPUT
(except for icmp (possibly partly) and lo). But again, if you really
want to secure your box, take the time to thoroughly read a few manuals
and possibly even a few RFCs.
Post by Ralph Sanchez
Post by d***@respiranto.de
Thanks for the Advice on NEW, I haven't seen much said about it so
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
It could still connect via 80,443. However, you are right, your setup
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Yeah, i wasn't sure whether i should leave those options in or just go
off stateful...see previous statement. Also, if something gain root
rights in my system, then I've got more problems then a faulty
firewall.
Post by d***@respiranto.de
Thanks for the reading, that's where I'm heading now : )
Einhard Leichtfuß
2016-05-23 21:39:25 UTC
Permalink
Post by Ralph Sanchez
Thanks for the clarification : ) And you didn't confuse the two
explicitly, but i wasn't sure if you were advising allow NEW,RELATED/
NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
know.
I have read through quite a few manuals and online forums, although no
RFCs...I'm not really sure I know what they are even haha. I have
configured myself pretty wall, editing PAM and my sysctl.conf file
rigourously, BIOS passwording and denying USB boots without admin
access to the BIOS, as well as other various activities including
attempting to configure SELinux, which is nigh impossible to do it and
have it have any effect on Jessie right now, at least as far as me and
someone else could find.
I have noticed that DROP on invalid first actually drops more packets
then simply allowing Established, related...does this imply a packet
can have more then one state??
No (though I don't know about DNAT and SNAT), hence it must be due to
other rules.
Ralph Sanchez
2016-05-23 22:01:17 UTC
Permalink
Also, it seems if I only allow Related and Established on OUTPUT I
cannot access the internet, 90 percent of packets get dropped when I
try to connect to anything, but allowing new established allows
connection...but also any software would be able to call home.
Post by Ralph Sanchez
Thanks for the clarification : ) And you didn't confuse the two
explicitly, but i wasn't sure if you were advising allow NEW,RELATED/
NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
know.
I have read through quite a few manuals and online forums, although no
RFCs...I'm not really sure I know what they are even haha. I have
configured myself pretty wall, editing PAM and my sysctl.conf file
rigourously, BIOS passwording and denying USB boots without admin
access to the BIOS, as well as other various activities including
attempting to configure SELinux, which is nigh impossible to do it and
have it have any effect on Jessie right now, at least as far as me and
someone else could find.
I have noticed that DROP on invalid first actually drops more packets
then simply allowing Established, related...does this imply a packet
can have more then one state??
Post by Ralph Sanchez
Post by d***@respiranto.de
Yes, this is a personal laptop. If you notice, I have default POLICY
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works,
but that's what it seemed to me and was explained in other guides and
tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
Whenever you perform an HTTP(S) request, the response should be treated
as RELATED, hence allowing all RELATED inbound traffic should suffice.
So, would it be better to not based any outgoing connections of
stateful connections and simply just allow it via port, since either
way the port is doing to allow both wanted traffic and possible
subversion, if malicious software passed the input? Or maybe put the
443 ACCEPT before the stateful filtering, and only allow established
state?
As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in-
and outbound connections. I might have mixed up RELATED and ESTABLISHED
at little in the former emails, by the way. Apart from that, you may
block as much as you want. And I would suggest blocking any other INPUT
(except for icmp (possibly partly) and lo). But again, if you really
want to secure your box, take the time to thoroughly read a few manuals
and possibly even a few RFCs.
Post by Ralph Sanchez
Post by d***@respiranto.de
Thanks for the Advice on NEW, I haven't seen much said about it so
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
It could still connect via 80,443. However, you are right, your setup
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Yeah, i wasn't sure whether i should leave those options in or just go
off stateful...see previous statement. Also, if something gain root
rights in my system, then I've got more problems then a faulty
firewall.
Post by d***@respiranto.de
Thanks for the reading, that's where I'm heading now : )
Ralph Sanchez
2016-05-23 22:04:49 UTC
Permalink
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 40 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 5
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
2165 308K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443




Chain OUTPUT (policy DROP 168 packets, 10072 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 8
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmptype 5
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
6 716 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
Post by Ralph Sanchez
Also, it seems if I only allow Related and Established on OUTPUT I
cannot access the internet, 90 percent of packets get dropped when I
try to connect to anything, but allowing new established allows
connection...but also any software would be able to call home.
Post by Ralph Sanchez
Thanks for the clarification : ) And you didn't confuse the two
explicitly, but i wasn't sure if you were advising allow NEW,RELATED/
NEW,ESTABLISHED or ESTABLISHED,RELATED on outbound packet, but now I
know.
I have read through quite a few manuals and online forums, although no
RFCs...I'm not really sure I know what they are even haha. I have
configured myself pretty wall, editing PAM and my sysctl.conf file
rigourously, BIOS passwording and denying USB boots without admin
access to the BIOS, as well as other various activities including
attempting to configure SELinux, which is nigh impossible to do it and
have it have any effect on Jessie right now, at least as far as me and
someone else could find.
I have noticed that DROP on invalid first actually drops more packets
then simply allowing Established, related...does this imply a packet
can have more then one state??
Post by Ralph Sanchez
Post by d***@respiranto.de
Yes, this is a personal laptop. If you notice, I have default POLICY
as DROP, which means if I don't accept on ports 80 and 443 I can't
accept HTTPS and HTTP, correct? I'm still learning how all this works,
but that's what it seemed to me and was explained in other guides and
tutorials I needed to do. And if I don't ACCEPT there, i dont get any
web pages whatsoever so.
Whenever you perform an HTTP(S) request, the response should be treated
as RELATED, hence allowing all RELATED inbound traffic should suffice.
So, would it be better to not based any outgoing connections of
stateful connections and simply just allow it via port, since either
way the port is doing to allow both wanted traffic and possible
subversion, if malicious software passed the input? Or maybe put the
443 ACCEPT before the stateful filtering, and only allow established
state?
As I said, I would simply allow all RELATED (and ESTABLISHED btw.) in-
and outbound connections. I might have mixed up RELATED and ESTABLISHED
at little in the former emails, by the way. Apart from that, you may
block as much as you want. And I would suggest blocking any other INPUT
(except for icmp (possibly partly) and lo). But again, if you really
want to secure your box, take the time to thoroughly read a few manuals
and possibly even a few RFCs.
Post by Ralph Sanchez
Post by d***@respiranto.de
Thanks for the Advice on NEW, I haven't seen much said about it so
I'll take that advice and just enable RELATED as well, considering
that solves the biggest problem I had as far as still accessing the
web.
And as far as blocking outbound, I just don't see any reason to allow
any more data in or out at any moment then is absolutely needed, and
it should help mitigate some malicious software calling home even if
it does get through into my system.
It could still connect via 80,443. However, you are right, your setup
will block those malicious pieces of software, that do not try to use
those (and that do not gain root rights).
Yeah, i wasn't sure whether i should leave those options in or just go
off stateful...see previous statement. Also, if something gain root
rights in my system, then I've got more problems then a faulty
firewall.
Post by d***@respiranto.de
Thanks for the reading, that's where I'm heading now : )
d***@respiranto.de
2016-05-23 22:09:50 UTC
Permalink
Post by Ralph Sanchez
Also, it seems if I only allow Related and Established on OUTPUT I
cannot access the internet, 90 percent of packets get dropped when I
try to connect to anything, but allowing new established allows
connection...but also any software would be able to call home.
That is correct behaviour, since there always needs to be a NEW
connection before any other may be RELATED or ESTABLISHED. Hence, if you
want to block outgoing traffic, you should allow at least ports 80 and
443 as you did before.

I assume you want your browser to be ablte to call anywhere, right?
Hence also home. Who tells you, that your browser is not a malicious
program? Or run by such a program?

Loading...