I finally took the time to put together a (hopefully) neat iptables script which I intend to execute via init.d just after networking.
I have two problems with my current solution:
1) Ideally I'd start the firewall script prior to networking and not after it. However it tries to detect my outgoing interface - which is ppp0 - but fails because networking has not yet been started. Is there any way to work around this apart from removing this check from the script?
2) A far worse problem... My external IP address on ppp0 is assigned dynamically. However prior to the connection the IP on this interface is temporarily set to 192.168.1.99. As my script tries to detect ppp0's IP address and sets rules accordingly, all those rules have the wrong address in them, because the IP is changed as soon as I actually do connect. This causes my firewall to render my connection unusable. I use dial on demand so the connection is not started at boot time but rather when I first issue some request (ping, browsing, etc).
At the moment I have no other solution but to set everything to DROP at boot time and to start the firewall script manually as soon as I have got an IP address assigned. This is rather unconvenient as you might imagine.
Is there any way to improve the situation?
Any suggestions are greatly appreciated!