Hardening Your Linux Laptops for Coffee Shop Combat: Firewall Rules and Network Profiles for the Paranoid Traveler

Introduction to Linux Laptop Hardening

As a Linux user, you’re probably already thinking about how to harden your system for security. But when it comes to laptops, this process is even more crucial. I mean, think about it - laptops are portable, and they’re often connecting to various networks, some of which might not be entirely trustworthy. The rise in public Wi-Fi exploits in recent years only adds to the importance of securing your laptop. In this article, we’ll focus on firewall rules and network profiles to help you navigate these scenarios securely.

Understanding Firewall Basics

Before diving into complex configurations, it’s essential to understand the basics of firewalls on Linux. You’ve likely heard of iptables, but many distributions now use nftables or rely on higher-level tools like ufw for Ubuntu-based systems or firewalld for systems using systemd. I prefer nftables due to its flexibility and performance. The real trick is to choose the right tool for your needs and to understand how to use it effectively.

To get started with nftables, you first need to ensure it’s installed and enabled on your system. On Debian-based systems, you can install it using:

sudo apt update
sudo apt install nftables

On Arch Linux or similar, the command would be:

sudo pacman -S nftables

After installation, enable and start the nftables service:

sudo systemctl enable nftables
sudo systemctl start nftables

Don’t bother with manually configuring nftables if you’re not comfortable with it - but if you’re looking for more control, it’s definitely worth learning.

Configuring Firewall Rules

Configuring firewall rules involves defining what traffic is allowed to enter or leave your system. A basic rule set might include allowing incoming SSH connections, HTTP/HTTPS for web browsing, and blocking all other incoming traffic. Here’s a simple example of how to add rules using nftables:

First, create a new table for the input chain:

sudo nft add table inet filter

Then, add a rule to allow SSH connections:

sudo nft add rule inet filter input tcp dport 22 accept

And another for HTTP/HTTPS:

sudo nft add rule inet filter input tcp dport {80, 443} accept

Finally, set the default policy for the input chain to drop:

sudo nft add rule inet filter input ip protocol icmp accept
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input ip saddr 127.0.0.1 accept
sudo nft add rule inet filter input counter drop

This setup allows SSH, HTTP/HTTPS, and ICMP, while dropping all other incoming traffic not related to established connections. In practice, you’ll want to adjust these rules based on your specific needs.

Network Profiles

Network profiles can significantly simplify managing different network scenarios, such as home, work, or public Wi-Fi. Tools like NetworkManager allow you to create and manage these profiles easily. For a more paranoid approach, you might consider using a VPN for all public Wi-Fi connections, which can be set up to automatically connect when joining untrusted networks.

To create a new network profile with NetworkManager, you can use the command line or the graphical interface. For example, to create a profile that automatically connects to a VPN on a specific Wi-Fi network, you can use:

nmcli connection add type wifi con-name "Public WiFi" ssid "PublicWiFiSSID"
nmcli connection modify "Public WiFi" wifi-sec.key-mgmt wpa-psk
nmcli connection modify "Public WiFi" wifi-sec.psk "your_password"
nmcli connection add type vpn con-name "PublicVPN" vpn-type openvpn
nmcli connection modify "PublicVPN" vpn.data "your_vpn_config.ovpn"
nmcli connection add type vpn+wifi con-name "PublicSecure" wifi-ssid "PublicWiFiSSID" vpn.con-name "PublicVPN"

Replace "PublicWiFiSSID", "your_password", and "your_vpn_config.ovpn" with your actual Wi-Fi SSID, password, and VPN configuration file. This is where people usually get burned - forgetting to update their network profiles or not using a VPN when connecting to public Wi-Fi.

Additional Security Considerations

• Keep your system and software up to date: Regular updates often include security patches. I usually start with a simple sudo apt update and sudo apt full-upgrade to ensure my system is current.
• Use strong, unique passwords: Consider using a password manager. Don’t bother with weak passwords - they’re not worth the risk.
• Enable full disk encryption: Protect your data at rest with tools like LUKS.
• Be cautious with public Wi-Fi: Avoid accessing sensitive information without a VPN. This is just common sense, but it’s often overlooked.

For more information on nftables and its capabilities, you can visit the official documentation. For NetworkManager and its usage, refer to the freedesktop.org documentation.

See also

• Hardening SSH with Linux Kernel's Built-in Features and a Few Surprising sysctl Tweaks
• Hardening Your Linux Desktop with Mandatory Access Control and a Little Bit of Common Sense
• Hardening Your Linux Desktop with Mandatory Access Control and Namespace Isolation
• Using Mandatory Access Control to Lock Down Your Linux Desktop with AppArmor
• Using seccomp to Lock Down Container Privileges in Linux