Setting up a personal SOHO firewall

I want to create a firewall for my laptop. As you may recall from the previous post, I have a Dell Inspiron 11z, running Fedora 12 64bits. I will use IPtables for this purpose.
A firewall must be configured according to the needs of the home/company. In my case, my network habits involve the following:

• Torrent downloading
• Chat (MSN and GTalk)
• Host a SSH server
• Host SMB server
• Access to SSH in other machines
  

As a network security guy, I have ill concerns about the heath and intrusiveness of my equipment, so I like to include some items in order to guarantee that it is safe:

• Must not send echo-replies, but be able to ping other host
• must not send port-unreachable and host-unreachable messages so services are hidden.

You must remember that functionality is important, so the rules should not be so tight that is difficult to use the equipment and use the services.

The configuration script goes as follows:

#!/bin/bash

#purpose: soho firewall

#pending june 3: do not send mesages to dmesg

#pending june 4: execute at boot


IPTABLES="/sbin/iptables"

# Flush all rules
$IPTABLES -F

# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Incoming external traffic##
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ## ICMP
$IPTABLES -A INPUT -p udp --sport domain -j ACCEPT ## DNS
$IPTABLES -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT ## Accept al ESTABLISH incoming traffic
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT ## Accept SSH
$IPTABLES -A INPUT -p tcp --dport 5901 -j ACCEPT ## Accep VNC
$IPTABLES -A INPUT -p tcp --destination-port 6881 -j ACCEPT ## Accept bittorrent
$IPTABLES -A INPUT -j LOG --log-prefix="BAD INPUT: " --log-level 4 ## Log all dropped incoming traffic

# Outgoing external traffic
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT ## Accept ICMP Request
$IPTABLES -A OUTPUT -p icmp --icmp-type host-unreachable -j DROP ## Block ICMP host unreachable
$IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT ## Accept DNS responses
$IPTABLES -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP ## BLOCK ICMP PORT UNREACHABLE
$IPTABLES -A OUTPUT -p tcp --source-port 6881:6999 -j ACCEPT ## Allow bittorrent traffic to internet
$IPTABLES -A OUTPUT -p tcp -j ACCEPT ## accept all outgoing traffic
$IPTABLES -A OUTPUT -j LOG --log-prefix="BAD_OUTPUT: " --log-level 4 ## log all dropped outgoing traffic


# internal traffic rules
## Accept all internal input traffic
#$IPTABLES -A INPUT -j ACCEPT
## Accept all internal output traffic
#$IPTABLES -A OUTPUT -j ACCEPT

# forwarding packets rules
$IPTABLES -P FORWARD ACCEPT


As you may notice, this scrpt is under development. Among the pending tasks, I must finde a way to execute the script at boot time and avoif syslog messages to go to dmesg and iptables.log, a file I created in the rsyslog.conf file:

kern.warning /var/log/iptables.log

Also, I must define an internal forwarding policy to allow Virtual Machines access services and a tighter Outgoing traffic policies.

Testing the firewall is the next step. I used Backtrack to do so. First of all, I have to execute the script on my machine:



Then I go tho the VM with Bachtrack 4 installed so I can test.


You may notice that services exposed are the ones that are necessary.

Impressions? suggestions? What do you think about it? Your feedback is appreciated.