I think it would be better to block all unsolicited inbound connections, period; and allow everything outbound. That would probably be a bit more secure, and more importantly would not annoy users who needed to make outbound requests on weird ports.
e.g. a set of iptables rules (usable for both IPv4 and IPv6) that did that might look, at a bare minimum, like this:
Mind, that doesn't log anything, so it's not so great either; but the point is it doesn't leave any ports open to unsolicited connections, while not getting in the user's way with outbound stuff.
Code: Select all
*filter # By default, drop everything except our own output :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT # Loopback - don't need to specify output rules because all output is accepted -A INPUT -i lo -j ACCEPT # Allow inbound for solicited connections only -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT COMMIT
(But NB: I'm not an expert on iptables, so I could be way off. And all of the above being said, a firewall doesn't help much if a user runs something hostile.)