I have been setting up stateful firewalls on various machines at home using iptables for over a year now, following the guide on the Arch Wiki: https://wiki.archlinux.org/title/Simple_stateful_firewall
I would now like to learn how to tighten security even more by not setting the OUTPUT chain policy to ACCEPT. I want to allow only that which I need, following the philosophy of least privilege or default to deny, if you will.
https://www.youtube.com/watch?v=aP8j9dgpAs0
Question: is it as simple as copy-pasting the rules for the INPUT chain into the OUTPUT chain, reversing the "-s/--source" options to "-d/--destination" and changing ESTABLISHED states to NEW? My guess is... Probably not? Because I would need to add ports 80 and 443 for web browsing, for starters, right? And also any outgoing port for my torrent client? And any port that I have chosen for my ssh server? Do I need to add the loopback interface there too?
Any guidance and referral to further reading would be appreciated! Unsolicited advice to use the newer front end nftables is... Well, not sought for at this moment
Hear me out. I highly suggest you checkout UFW https://wiki.archlinux.org/title/Uncomplicated_Firewall which wraps iptables (or nftables)
When you use UFW and get it working the way you want you can then go look at iptables directly and see how it's implemented.
firewalld is also a decent choice.
PSA for those who haven’t read the docker docs in detail: If you run docker with UFW or any other iptables based firewall, it will often overwrite and break your firewall rules.
Many people running containers on public hosts get burned by this, because they’re expecting their firewall to block outside traffic from hitting the container.
Firewalld is a solid alternative that does not suffer from the same failure model; highly recommend.
Did not know this. thanks!
Thanks! That looks like a great way to learn what's going on "under the hood".