Double hop OpenVPN, Tap adapters, IPTables, sandboxing

[BadGoy]

I would like to build a secure secure system that meets or exceeds the level of security my Win7Enterprise system provides me. I will be basing it on Parrot OS 1.6 x64 DVD, although I am doing my current testing/studying on KALI. Both are Debian based and run Gnome.

Current Windows box:
- Sandboxie (for sandboxing browser, PDFs, flash, keygens, etc)
- Strict firewall rules (comodo) which block non-VPN connections via tap adapter mac address and block ALL connections without an application specific rule allowing them.
- Two concurrent instances of OpenVPN (inner no GUI, outer GUI) that do not allow my "OuterVPN" provider to know my real IP address.
- Full disk encryption - already implemented including SWAP with twofish - would prefer the bootloader and /boot to be on a external flash drive
- If there is an option for encrypting RAM, I would love that. https://github.com/0xPoly/Centry this will be sufficient though, if not.
- List based IP blocking (PeerGuardian)
- A secure browser with script blocking, etc...
- DNSCrypt

This will be an ongoing process, but I hope to get the basics set up (vpn, firewall, DNSCrypt) within the next few weeks. I need to set up the firewall before I connect to the internet to download any packages.

Starter Questions:

- How can I setup my firewall in this manner (app specific and block by default)? Is IPTables sufficient? Can someone give me an example command that restrict connections by MAC?

- Has anyone set up a dual hop OpenVPN setup before? Are there issues running two instances of OpenVPN? How can I manage TAP adapters for two instances of OpenVPN?

- Any other tips or suggestions for a cypherpunk moving to Linux?

[BadGoy]

FORUM POST 80 000

what do I win?

reserved post.

[BadGoy]

Does debian have native USB drivers? How can I deal with the potential of USB malware (as obscure as that is)?

Also, a simple one to get us started:

What IPTables rules would I need to block all inbound/outbound, allow for joining a wifi network, and allow app-get to make requests on port 443? (If it needs to use 80, then how can I protect from MITM attacks?)

[BadGoy]

Even with DNSCRYPT, regular HTTP requests can be MITM attacked by the NSA.

Are you people telling me, by your silence, that with a balls out top of the line secure system setup, that Debian is going to be less safe than Windows?

If that's the case.... you people should re-evaluate your lives.

[BadGoy]

Is there a better forum I should take this to?

I used to be a regular lurker on Wilders, but that place went down hill.

[n_hologram]

Even with DNSCRYPT, regular HTTP requests can be MITM attacked by the NSA.

Are you people telling me, by your silence, that with a balls out top of the line secure system setup, that Debian is going to be less safe than Windows?

If that's the case.... you people should re-evaluate your lives.

I've always felt that the appeal of Linux was running a less-secure system than Windows.