Taming the Wild Netfilter
Using Netfilter's stateful rules, you can actually increase the security of your home system with less effort by making judicious use of its connection tracking. Many more options are also available to you. This article scratches only the surface. I recommend you make use of Rusty's Unreliable Guides available on the Netfilter site (mentioned earlier).
For home users with simple needs, keep your firewall simple. I do not recommend most firewall tools and scripts because they layer unnecessary complexity into your firewall. If you don't understand a rule, don't implement it. The first three stateful rules (using the -m state rule) will keep you in good stead. If an attacker has already been in and compromised a system, the rules won't help. They also won't protect you against e-mail-based trojans, but they will protect against direct attacks. I suggest, if you don't use IRC, you log and drop outgoing IRC connections:
$IPT -j filter -I tcprules -p tcp --destination-port 6667 -j LOG --log-prefix "IRC attempt " $IPT -j filter -I tcprules 2 -p tcp --destination-port 6667 -j DROP
Also, if you don't need anyone entering your network, don't open any ports (as we did in our second example). This article did not discuss how to segregate your network properly to isolate internet-accessible systems from trusted internal systems. If you require this level of complexity, and your risk assessment asks for it, it might be time to call for knowledgeable help.
|Nightfall on Linux||Oct 26, 2016|
|Daily Giveaway - Fun Prizes from Red Hat!||Oct 25, 2016|
|Installing and Running a Headless Virtualization Server||Oct 25, 2016|
|Ubuntu MATE, Not Just a Whim||Oct 21, 2016|
|Non-Linux FOSS: Screenshotting for Fun and Profit!||Oct 20, 2016|
|Nasdaq Selects Drupal 8||Oct 19, 2016|
- Nightfall on Linux
- Installing and Running a Headless Virtualization Server
- Secure Desktops with Qubes: Compartmentalization
- Ubuntu MATE, Not Just a Whim
- Daily Giveaway - Fun Prizes from Red Hat!
- Nasdaq Selects Drupal 8
- Non-Linux FOSS: Screenshotting for Fun and Profit!
- Canonical Ltd.'s Ubuntu Core
- Build Your Own Raspberry Pi Camera
- Polishing the wegrep Wrapper Script