Firewalling a roaming laptop

Noble · 2010-08-14 10:40:18

I use my laptop on a lot of different networks, so I think its about time to write myself a iptables script.

Is it advisable to DROP everything by default, and white-list whatever you need? What things MUST i allow in order for outgoing web and pacman to work? I'm tunneling everything through SSH (except pacman, which is on my todo list).

Cheers,
Noble

mcsilva · 2010-08-14 11:58:13

This could be quite a loooong discussion.
You have to chose what is good for you, but I can tell you about my own experience.
In my laptop, I DROP INPUT and FORWARD chains and ACCEPT all other chains by default.
Then I allow connection-tracking in INPUT chain.
It is not a very restrictive firewall, but this is my choice because it is very simple and effective to a laptop computer with one only user.
With this type of firewall you can use your ssh tunnels, outgoing web and pacman work, while blocking all inbound connections.

This is an example of this type firewall:

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Enable loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Enable connection-tracking
iptables -A INPUT -i wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT

fukawi2 · 2010-08-14 23:02:37

The example mcsilva has given should be fine for most roaming laptops. You might want to allow rate-limited ICMP as well:

-A INPUT -p icmp -m limit --limit 10/sec -j ACCEPT

Arch Linux

#1 2010-08-14 10:40:18

Firewalling a roaming laptop

#2 2010-08-14 11:58:13

Re: Firewalling a roaming laptop

#3 2010-08-14 23:02:37

Re: Firewalling a roaming laptop

Board footer