Marco wrote: > Hi all, > > I set up my first firewall on my notebook (not running any services > reachable from outside) using iptables. Since I am new to the topic, > could you please verify if the output of 'iptables -L -v' is > considered to be a safe firewall? Thanks! >
Hi Marco, Your firewall looks good, but I would change a few things. First off, change your FORWARD chain to DROP. Unless you are doing routing on your laptop, there's no reason to have it. I would also get rid of the REJECT targets. It's better to DROP instead. If someone is scanning the network, and you start sending icmp rejections back, they will know you are there and may try other techniques to break through your defenses, but if you DROP and send nothing back, it will be much harder for them to see you at all. I would also re-write your INPUT chain to be a bit less verbose. Something like this: Chain INPUT (policy DROP 0 packets, 0 bytes) target prot opt in out source destination ACCEPT all -- lo any anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOG all -- any any anywhere anywhere LOG level warning prefix `INPUT ' Everything else looks good from a security standpoint. From a performance standpoint, you might want to add a line to the beginning of your output chain like this: Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) target prot opt in out source destination ACCEPT all -- any lo anywhere anywhere ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED LOG all -- any any anywhere anywhere LOG level warning prefix `OUTPUT ' This will log only NEW packets. Otherwise you could end up with a lot of log output. After you run this for a while, go back and look through your logs and see if you have enough data there to change your OUTPUT chain to DROP, and only allow packets through to ports you actually use. That's only if you're really paranoid though. Hope that helps. Chris
