IPtables peer review

[Hallvor]

I am trying to make some basic rules for a desktop computer firewall that will be easy to set up and offer basic security. If there is something I should change, please don't hesitate to let me know.

Code: Select all

#Allow localhost connections to the loopback interface
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -i lo -j ACCEPT

#Allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow all outbound connections
iptables -A OUTPUT -j ACCEPT

#Drop all other incoming network traffic
iptables -A INPUT -j DROP

#Log iptables denied calls
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

[koanhead]

Your iptables setup looks more or less like mine, which is mostly cribbed from here:

https://wiki.debian.org/iptables

except that I am allowing certain services from the local subnet. It looks like those rules are for a non NATed computer with only one network connection, that connected to your ISP's network. For that use case, it looks OK to me.

[Hallvor]

except that I am allowing certain services from the local subnet. It looks like those rules are for a non NATed computer with only one network connection, that connected to your ISP's network. For that use case, it looks OK to me.

Could you please elaborate? Is there a problem using this configuration on e.g. a public wifi?

[koanhead]

No, you should be fine on a public wifi, as long as you don't want to provide any services. If you don't know whether or not you want to do that, then you don't want to.
This computer is on a static, wired network, and providing some services to that LAN.

[Hallvor]

Thank you. That makes sense.