I have set up a basic firewall on my laptop with iptables following a tutorial. Here is my output from iptables -vL:


I am just wondering if this seems like a decent firewall. Any input would be appreciated.

it actually depends on you what are your needs and what you are expecting your firewall to allow, redirect or reject.

I don't really have a major need for much security wise, I don't deal with any sensitive data or do any banking or anything on this laptop. I am just teaching myself this stuff out of boredom mostly. As far as what I'd like to accomplish with a firewall is block everything but basic internet access. I have no need for any remote access. One thing I've been wondering is if I could use the output chain to help protect against things like a man in the middle attack.

Simple firewall could look like this:

What is the point of adding anything to the output chain while leaving the default behavior as accept?

Tracking as the rule implies.

1 members found this post helpful.

Ok I see. When I run conntrack -L with my current set up after connecting to a web page I do see mostly connections of udp and tcp protocol and, forgive me for my ignorance, I wonder how this simple firewall handles those as well as any other new input connections. As I said previously I don't have a major need for this, it's more just for the fun of learning to me, So I am more concerned about understanding the concepts than just being shown a basic setup. Thanks again for any input.

There are 2 types of firewall states, Connection tracking and Connectionless.

With the ESTABLISHED,RELATED rule the kernel will look in the connection table for a previous connection. If it is there then it allows the traffic to continue without consulting the rest of the rules for a matching one.

The non-tracking firewall doesn't consult the connection tables for a previous connection and thus must read and apply the rules for every packet.

With the above lets take a look at an FTP connection. We will call the connection tracking firewall FirewallA and the connectionless firewall FirewallB. All the commands below are abbreviated.

On FirewallA you setup the following:
INPUT ESTABLISHED,RELATED ACCEPT
INPUT -p 21 NEW ACCEPT
And loaded "ip_conntrack_ftp"

On FirewallB you setup the following
INPUT -p 21 ACCEPT

Now you have a client that wants to connect to FTP on port 21.

On FirewallA the first packet will be applied to all the rules until one is found that matched. Once a matching rule is found it will be handled according to the rule. In this case it is allowed so it places the connection into the conntrack DB. Every subsequent packet will now match the EASTBLISHED rule and bee allowed automatically.

On FirewallB the first packet will be applied to every rule until one is found that it matches. Once a matching rule is found it will be handled according to the rule. Every subsequent packet will need to go through the same process each and every time.

Now the client decides to transfer data over his FTP connection.

On FirewallA because we loaded the "ip_conntrack_ftp" and we have the RELATED rule, port 20 (for the Data transfer) is automatically allowed.

On FirewallB we don't have port 20 allowed so the client will not be able to transfer data over FTP. To allow the data transfer you now need to add a rule for port 20 to allow it. Because we are not doing connection tracking anyone can not connect to port 20 without having to go through port 21 first.

I hope I was able to give you some useful information and I hope this shows you some benefits to using connection tracking over connetionless.

1 members found this post helpful.

Thank you lazydog for that useful information. I can see that connection tracking does make things simpler. However I am still left with the question about how the example you showed earlier handles any new connection. I will prob try testing some different setups including your example now that I understand things a bit better, but that prob won't happen until tomorrow. Thanks again for taking the time to explain things to me.