Re: Request for comments: iptables script for use on laptops.

[George Hein <zweistein@optonline.net>]

> >   iptables -A INPUT  -j ACCEPT -s 127.0.0.1      # local host
> >   iptables -A OUTPUT -j ACCEPT -d 127.0.0.1
>
> Correct me if I'm wrong, but I think this would also allow incoming
> traffic from 127.0.0.1 to the eth0 interface. So somebody spoofing
> his IP address to appear to be 127.0.0.1 could send _any_ traffic
> to you and you would ACCEPT it, basically rendering the firewall
> useless. Did I miss anything?
>
> The following should be better, as it only allows traffic to/from the
> loopback interface (but not eth0 or what have you)...
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
>
>
> >   iptables -A INPUT  -j ACCEPT -s 192.168.0.0/28 # allow x.x.x.1-7
> >   iptables -A OUTPUT -j ACCEPT -d 192.168.0.0/28
>
> IP-based blocking of traffic is almost always not a good idea. Same
> reason as above - IPs are easily faked, so any intruder could
> pretend to be 192.168.0.2 and would bypass the firewall.
Glad to get some replies, would also like more on Uwe's script.

As to above: First, my computers are hidden behind a router which should 
give me lots (I hope) protection.

As to local host, when I do it your way and execute "iptables -L" I get:
" Accept all -- anywhere anywhere" while I get "Accept all -- anywhere 
localhost.localdomain".   This latter disturbed me some time ago, looked 
like anyone can do anything, so I changed it.

As to some of the items which I opened up, it looked like I needed them 
to perform some functions.  I like your method of allowing stuff flowing 
only if the session is established, but I lack info on that and 
hopefully I can learn from scripts of others.