Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to have this script run at start up and add these rules to iptables. But, do I have to flush all chains first? Or will this work ok, how it is?
My virtual machine software places a bunch of rules in there and I didn't want it to conflict with that. I'm not sure what all the processes are that the vm uses, so kind of difficult to whitelist that.
Any ideas/suggestions? Should I try to whitelist the vm?
Code:
#!/bin/bash
# -WOPP- Whitelist Outbound Processes/Programs
# v1.0 by xoros
# Purpose: You don't need to allow -ALL- outbound traffic -ALL- the time!
# First we define normal services to be allowed
# Comment-out any to turn off what you don't want
# accept localhost traffic
iptables -A INPUT -i lo -j ACCEPT
# accept dns tcp
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
# accept dns udp
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# accept dhcp
iptables -A INPUT -p udp -m udp --sport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 67:68 -j ACCEPT
# accept http and https
iptables -A INPUT -p tcp -m multiport --sports 80,88,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,88,443 -j ACCEPT
# mail tsl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
# mail ssl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
# Now we can use our whitelist
# Manually use "ps aux" to find names
# Substitute "wprocessname1..etc" with names you want
WHTPROC="wprocessname1
wprocessname2
wprocessname3
wprocessname4"
for whtproc in $WHTPROC
do
pid=""
pid=`ps aux | grep $whtproc | head -n 1 | cut -b 10-14`
iptables -A OUTPUT -p tcp -m owner --pid-owner $pid -j ACCEPT
iptables -A OUTPUT -p udp -m owner --pid-owner $pid -j ACCEPT
done
# Drop everything else
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
well it doesn't look like it would conflict, expect the default drops at the bottom, but you've not said anything about what distro / firewall system you're currently using. it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.
it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.
I thought iptables for linux is basically the same for no matter which distro you are using.
I guess i'm having a hard time figuring out how to integrate them with the rules already in place from what the vm software put there.
If I just whitelist whatever process the vm software is (and needs) will it work the same as if it was using it's own previous rules?
iptables is the same, but there are a million ways to control configuration files and services around iptables, which is just a command line tool that needs something to use it.
Again, it depends how these rules are being implemented, so again can depend on what distro and firewall mechanism you are using. is it a secret??
in your specific example, you have a nat operation and a filter operation, so they wouldn't directly conflict as POSTROUTING is always done after OUTPUT. Of course a catchall DROP in OUTPUT would mean nothing explicitly passed already would never hit POSTROUTING and the rest of the world.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.