[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New to iptables

While you computer should be protected by a fire wall (I use shorewall for that)  maybe you should look at privoxy.  privoxy is a Privacy Enhancing Proxy that the browser can be set to go through to access web sites. 

The privoxy setup for your sand-boxed install would be set to allow access only to the banking sites by url and block all others.  That way you don't have to worry about  the ip addresses a bank might have at the time you access it (they may have multiple addresses for load shearing for example).  Again the sand-boxed install should have a firewall that only lets outgoing requests get through and blocks all incoming probes.  Shorewall can easily do this for you so you won't have to mess with the workings of iptables. 

Your open install should also use privoxy with a more open setup that will help you stay away from malware and add sites.  Shorewall firewall can be set to allow incoming access to any servers you might have like ssh and let outgoing requests get through.

If your computer has a processor that will support virtual machines and at least 4GB ram and a spare 20G or so of file space you could easily install Debian in a VM and add all the firewall and privoxy rules to get to your banking sites.  KVM/QEMU and virtual machine manager make this process easy.  To get to your banking sites you would just spin up the sand-boxed VM.  It would show up in a separate window and allow you to have all the other stuff you were doing on you host un-sand-boxed machine still visible.  It might even make more sense to make the VM be your "dirty" so that if it did get infected you would just install Debian again. Or keep a spare copy of the just installed image file that the VM runs off of and simply copy the spare over the messed up image file and be back in business in a few minutes.

These are just a few examples of what you can do.  I use VMs all the time mostly for testing updates before I commit them to my host desktop machine.  One VM even runs my weather station software 24/7. 

 
...Bob
On 01/04/2017 11:54 AM, Richard Owlett wrote:
I'm searching for an introduction to iptables that leads me to answers to the questions *I* have. I've got a flock of links I'm working thru.


In the meantime I have a few questions.

One of the links led to _Securing Debian Manual_ and in particular
"Appendix F - Security update protected by a firewall"
{https://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html}

I follow the description as far as it goes - i.e. access is limited to a specific URL.
QUESTION 1
What happens if the URL is not "security.debian.org" but my bank.
I assume that there is no problem with links within the same domain.
I DO know however that the site gets information from other sites to handle my requests. From what I can follow they are _javascript_s applets(right word) to display information. What would happen?

Because of my my uncertainties intend to have a "sandboxed" install. The associated partition will have only Debian and the browser.

Question 2
There will be a separate install of Debian that I will use for "everything else". Can the iptables of that install be set to allow access to any domain *EXCEPT* my bank's? The goal being minimization of "operator error".

Question 3
Is there a simple minded tool that I could enter the show in the example in "Appendix F".

TIA




Reply to: