I've been asked to look over a couple of firewall scripts recently, these are for both desktops and for servers, and it strikes me that people aren't going to the additional lengths they could to lock down their rulesets. The most underutilized module I've seen is the owner module. This module allows you to restrict connections based on the uid, gid, pid, or sid of the connection. It even works for root.

Now, some of you might be thinking of ways you can use this, some of you might not know how you can use it, so I will explain. Often the most commonly viewed difference between Linux firewalls and Windows personal firewalls is the lack of per-application control. While this is somewhat true, it is not as wide ranging as many might have you believe. To understand how the owner module applies to this situation, we must look at the way in which common Linux systems are setup. Commonly, you will find many services are given their own user (named for DNS, apache for apache, etc). This is both a hindrance and helpful in various situations, here it helps a great deal. Because each service has its own uid, you can basically control the network access of any service you like.

Consider the following example: An attacker attempts to break into a hardened box, and manages to exploit a hole in Apache to get access to the box. After a bit of trial and error enumeration, the attacker sees that there are no tools of use to him on the box, so the next step is to download a rootkit or some tools from another site onto the target box. With a firewall setup to deny Apache outbound access, such attempts would fail. There may be other ways to get a file onto the target, or other havoc they can wreak, but this limits an attacker's options.

Here's an example, where we deny all new outbound connections for uid 101 (apache).
Code:
$ iptables -A OUTPUT -o eth0 -m state --state NEW -m owner --uid-owner 101 -j REJECT
$ su apache -c "telnet www.hotmail.com 80"
Trying 207.68.171.233...
telnet: connect to address 207.68.171.233: Connection refused
$ iptables -F
$ su apache -c "telnet www.hotmail.com 80"
$ su vhost -c "telnet www.hotmail.com 80"
Trying 207.68.173.245...
Connected to www.hotmail.com.
Escape character is '^]'.
You could further limit all of these services by making them all members of a specific group called something like "noaccess", and then just denying the group. Alternately, you can drop in rules related to the process id, though keep in mind many process ids will be different between reboots.

Anyhow, just keep the various modules in mind when writing firewall rulesets. Many of them can give you a greater level of control over your firewall.