Now to block all in/out traffic? (except for Palemoon)

4ML220 · 08-25-2021, 07:04 AM

Cloud you help me please with the settings 4Mlinux 37 x64 - how can I block all in/out traffic for LAN, WLAN, Bluetooth, except for Palemoon?
Thank you.

ferrari · 08-26-2021, 03:02 PM

A couple of suggestions from me (not complete solutions)...

1) It is possible to construct an iptables rule to drop all traffic apart from a given group (gid) such that palemoon could still access the internet. For example, create the group "internet-group" and iptables similar to the following...

Code:

iptables -P INPUT DROP 
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner internet-group -j ALLOW

You would need to execute palemoon with the sg command (or make a desktop shortcut)...

Code:

sg internet-group palemoon

2) Not application-specific, but just block all traffic except for web-traffic. For example...

Code:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

3) Have look at using OpenSnitch (application-level firewall) in addition to your kernel-based firewall....

https://linuxsecurity.expert/tools/opensnitch/
https://itsfoss.com/opensnitch-firewall-linux/
https://www.linuxuprising.com/2018/0...plication.html