Hi, I personally do not block outbound traffic at all, which in my opinion does not impose a significant risk.
Furthermore, I do not see a good reason to allow all NEW connections while blocking most RELATED ones. Usually it is done the other way round: You decide upon a NEW connection whether it shall be allowed and then you allow all RELATED traffic to pass as well. In general I can only recommend the guides I (mainly) used: https://www.linode.com/docs/security/securing-your-server/ https://wiki.archlinux.org/index.php/Simple_stateful_firewall http://serverfault.com/questions/84963/why-not-block-icmp By the way, is this a non-server machine? If so, why do you care about the ports 80 and 443? On 2016-05-23 01:30, Ralph Sanchez wrote: > Hello All, I have taken up to writing this bash script to change my > iptables rules. It seems the only issue I've found is that it seems to > not want to connect to certain websites at some moments and not > others, or generally but sometimes it let's it through without > changing anything. This completely stops if I add RELATED to my OUTPUT > ACCEPT next to NEW, just not sure how that impacts security exactly. > > Also, any advice on making this script better, or stronger per > secuirty, would be appreciated as this is both my first time scripting > in bash from scratch and my first IPTABLES venture. > > Oh, and don't mind the echo lines, those are solely for my > entertainment upon running. > > #!/bin/sh > > IPT=/sbin/iptables > IP6=/sbin/ip6tables > echo "[+] ENTRY PLUG EJECTED, > READY FOR PILOT ENTRY" > read OK > > echo " $OK ENTRY PLUG > INSERTION COMPLETE" > > echo "[+] Flooding the cockpit with LCL. Don't try and hold your > breath, just breath normal. It's weird at first, but you'll get used > to it " > > $IPT -F > > $IPT -F -t nat > > $IPT -X > > echo "[+] Synch ratio 99%, within permissable parameters..." > > $IP6 -P INPUT DROP > > $IP6 -P FORWARD DROP > > $IP6 -P OUTPUT DROP > > $IPT -P INPUT DROP > > $IPT -P FORWARD DROP > > $IPT -P OUTPUT DROP > ## INPUT Rules ### > > echo "[+] AT Field is active, moving EVA UNIT 1 to elevator 24..." > > $IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix > "INVALID_DROPS" --log-ip-options --log-tcp-options > > $IPT -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix > "NEW_DROPS" --log-ip-options --log-tcp-options > > $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP > > $IPT -A INPUT -p icmp --icmp-type echo-request -j DROP > > $IPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > $IPT -A INPUT --in-interface lo -j ACCEPT > > $IPT -A INPUT -p tcp --dport 443 -j ACCEPT > > $IPT -A INPUT -p tcp --dport 80 -j ACCEPT > > ## FORWARD Rules ## > > #$IPT -A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix > "INVALID_FORWARD" --log-ip-options --log-tcp-options > > #$IPT -A FORWARD -i lo -j ACCEPT > > #$IPT -A FORWARD -m conntrack --ctstate INVALID -j DROP > > #$IPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > ## OUTPUT Rules ## > > echo "[+] It's up to you now, Shinji..." > > $IPT -A OUTPUT --out-interface lo -j ACCEPT # Allows ALL Loopback traffic > > $IPT -A OUTPUT -m conntrack --ctstate NEW -j ACCEPT # Only allow NEW > connection outbound. > > $IPT -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner > --uid-owner privoxy -j ACCEPT # Allows Privoxy via HTTP and HTTPS > > $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT # ACCEPT outbound https > > $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT # ACCEPT outbound http (DO > NOT LEAVE ACTIVE!) > > $IPT -A OUTPUT -m owner --uid-owner root -j ACCEPT # Allows ALL root requests >
