I'm looking to set up separate hardware as a decent isolated firewall, primarily to act as a (wired, not wireless) intermediary between a Windows box and an ADSL router. I'd like an interactive setup on its own little display where I can allow or deny connections interactively with a simple keystroke / button press / screen mash.

I'm only concerned with outgoing TCP/IP connections and UDP, since the router firewall blocks all incoming traffic, with occasional manual exceptions as required.

I'd like the "firewall" (for want of a better word) to display the destination IP, reverse DNS lookup and ports, and give the option of allowing or denying, defaulting to deny after n seconds. I'd also like to be able to clear timeout auto-denies (reverting to "ask") without affecting manual denies. And dig in by hand as necessary. Command line or desktop UI is fine, any platform is fine though Windows now seems untrustworthy for the task.

Is there a good solution out there? Software / hardware / both is fine. Linux and iptables seem very capable from past experience, but I want an interactive setup. Perhaps there's some log tail eating script one could conjure? But that's a little beyond me. Not sure the best way to go.

I imagine I'd also need to set up the intermediary box to act as a gateway, and possibly give it DHCP control and deny other boxes access to the router via router-side rules, to avoid software working around the setup I'm trying to achieve?

Rationale: As an increasingly reluctant Windows user (for Visual Studio, and Steam) I'm considering a Windows 10 upgrade. Given it, and other software, increasingly enjoy the ability to "phone home" disclosing potentially private data (however anonymized or filtered), it seems like a good time to go for a radical solution outside the vendor's hands.

Context: I'm a long time developer with a non-zero stackoverflow rep, I've set up Gentoo by hand from source in the past for fun and am generally not intimidated by doing things the hard way. I don't mind a tricky solution to set up if uber-usable in practice, and wouldn't want to claim expertise in an area in which I'm frankly an idiot child compared to real networking types.

How do I separate Linux firewall/gateway box, to isolate now-chatty-with-Microsoft Windows machines from the internet? Permitting only approved user-initiated connections from Windows boxes. This given Windows 10 et al don't obey most same-machine approaches when phoning home. I'd like an interactive setup to allow or deny connections as they occur from other machines.

I'm only concerned with outgoing TCP/IP connections and UDP, since the router firewall blocks incoming traffic well enough.

I conjecture I could fudge something half baked with log tails and iptables, but that won't give me a simple user experience, and would be after the fact (so I could watch deny logs, then go back in and alter the rules case by case). I'd like the connection to hang (timeout notwithstanding) until I allow/deny.

Is what I'm looking for even possible without hacking something like iptables itself? What are the pitfalls I should look out for?

As a corollary, is it effective and possible to set up these boxes as gateway and DHCP servers for Windows boxes? Seems like I should be blocking the Windows boxes themselves from talking to the router and hence forcing them to go through the gateway/firewall box.

(Edit: rephrased.)

I'm looking to set up separate hardware as a decent isolated firewall, primarily to act as a (wired, not wireless) intermediary between a Windows box and an ADSL router. I'd like an interactive setup on its own little display where I can allow or deny connections interactively with a simple keystroke / button press / screen mash.

I'm only concerned with outgoing TCP/IP connections and UDP, since the router firewall blocks all incoming traffic, with occasional manual exceptions as required.

I'd like the "firewall" (for want of a better word) to display the destination IP, reverse DNS lookup and ports, and give the option of allowing or denying, defaulting to deny after n seconds. I'd also like to be able to clear timeout auto-denies (reverting to "ask") without affecting manual denies. And dig in by hand as necessary. Command line or desktop UI is fine, any platform is fine though Windows now seems untrustworthy for the task.

Is there a good solution out there? Software / hardware / both is fine. Linux and iptables seem very capable from past experience, but I want an interactive setup. Perhaps there's some log tail eating script one could conjure? But that's a little beyond me. Not sure the best way to go.

I imagine I'd also need to set up the intermediary box to act as a gateway, and possibly give it DHCP control and deny other boxes access to the router via router-side rules, to avoid software working around the setup I'm trying to achieve?

Rationale: As an increasingly reluctant Windows user (for Visual Studio, and Steam) I'm considering a Windows 10 upgrade. Given it, and other software, increasingly enjoy the ability to "phone home" disclosing potentially private data (however anonymized or filtered), it seems like a good time to go for a radical solution outside the vendor's hands.

I'm looking to set up separate hardware as a decent isolated firewall, primarily to act as a (wired, not wireless) intermediary between a Windows box and an ADSL router. I'd like an interactive setup on its own little display where I can allow or deny connections interactively with a simple keystroke / button press / screen mash.

I'm only concerned with outgoing TCP/IP connections and UDP, since the router firewall blocks all incoming traffic, with occasional manual exceptions as required.

I'd like the "firewall" (for want of a better word) to display the destination IP, reverse DNS lookup and ports, and give the option of allowing or denying, defaulting to deny after n seconds. I'd also like to be able to clear timeout auto-denies (reverting to "ask") without affecting manual denies. And dig in by hand as necessary. Command line or desktop UI is fine, any platform is fine though Windows now seems untrustworthy for the task.

Is there a good solution out there? Software / hardware / both is fine. Linux and iptables seem very capable from past experience, but I want an interactive setup. Perhaps there's some log tail eating script one could conjure? But that's a little beyond me. Not sure the best way to go.

I imagine I'd also need to set up the intermediary box to act as a gateway, and possibly give it DHCP control and deny other boxes access to the router via router-side rules, to avoid software working around the setup I'm trying to achieve?

Rationale: As an increasingly reluctant Windows user (for Visual Studio, and Steam) I'm considering a Windows 10 upgrade. Given it, and other software, increasingly enjoy the ability to "phone home" disclosing potentially private data (however anonymized or filtered), it seems like a good time to go for a radical solution outside the vendor's hands.

Context: I'm a long time developer with a non-zero stackoverflow rep, I've set up Gentoo by hand from source in the past for fun and am generally not intimidated by doing things the hard way. I don't mind a tricky solution to set up if uber-usable in practice, and wouldn't want to claim expertise in an area in which I'm frankly an idiot child compared to real networking types.