Iptables Control Outbound Connections

xoros · 04-28-2009, 04:07 PM

I want to have this script run at start up and add these rules to iptables. But, do I have to flush all chains first? Or will this work ok, how it is?

My virtual machine software places a bunch of rules in there and I didn't want it to conflict with that. I'm not sure what all the processes are that the vm uses, so kind of difficult to whitelist that.

Any ideas/suggestions? Should I try to whitelist the vm?

Code:

#!/bin/bash
# -WOPP- Whitelist Outbound Processes/Programs
# v1.0 by xoros
# Purpose: You don't need to allow -ALL- outbound traffic -ALL- the time!

# First we define normal services to be allowed
# Comment-out any to turn off what you don't want
# accept localhost traffic
iptables -A INPUT -i lo -j ACCEPT
# accept dns tcp
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT 
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT 
# accept dns udp
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT 
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# accept dhcp
iptables -A INPUT -p udp -m udp --sport 67:68 -j ACCEPT 
iptables -A OUTPUT -p udp -m udp --dport 67:68 -j ACCEPT
# accept http and https
iptables -A INPUT -p tcp -m multiport --sports 80,88,443 -j ACCEPT 
iptables -A OUTPUT -p tcp -m multiport --dports 80,88,443 -j ACCEPT
# mail tsl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT 
# mail ssl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT

# Now we can use our whitelist
# Manually use "ps aux" to find names
# Substitute "wprocessname1..etc" with names you want
WHTPROC="wprocessname1
wprocessname2
wprocessname3
wprocessname4"
for whtproc in $WHTPROC
do
pid=""
pid=`ps aux | grep $whtproc | head -n 1 | cut -b 10-14`
iptables -A OUTPUT -p tcp -m owner --pid-owner $pid -j ACCEPT
iptables -A OUTPUT -p udp -m owner --pid-owner $pid -j ACCEPT
done

# Drop everything else
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

acid_kewpie · 04-28-2009, 04:14 PM

well it doesn't look like it would conflict, expect the default drops at the bottom, but you've not said anything about what distro / firewall system you're currently using. it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.

xoros · 04-28-2009, 04:33 PM

Quote:

Originally Posted by acid_kewpie

it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.

I thought iptables for linux is basically the same for no matter which distro you are using.

I guess i'm having a hard time figuring out how to integrate them with the rules already in place from what the vm software put there.

If I just whitelist whatever process the vm software is (and needs) will it work the same as if it was using it's own previous rules?

acid_kewpie · 04-28-2009, 04:40 PM

iptables is the same, but there are a million ways to control configuration files and services around iptables, which is just a command line tool that needs something to use it.

xoros · 04-28-2009, 04:51 PM

I know how to get the script to run at start up. That is not my problem.

My main question/problem is:

Quote:

Will my "whitelisting method" applied to a program that already made it's own rules; allow itself to work as if it was using it's PREVIOUS rules?

In other words, does allowing the process, work the same as just allowing certain ip ranges, port ranges etc... ??

For example, I have something similar to this already in iptables:

Code:

-A POSTROUTING -s 192.168.xxx.0/24 -d ! 192.168.xxx.0/24 -j MASQUERADE

Will allowing by process name, or my "OUTPUT -j DROP" mess that up?

acid_kewpie · 04-29-2009, 05:30 AM

Again, it depends how these rules are being implemented, so again can depend on what distro and firewall mechanism you are using. is it a secret??

in your specific example, you have a nat operation and a filter operation, so they wouldn't directly conflict as POSTROUTING is always done after OUTPUT. Of course a catchall DROP in OUTPUT would mean nothing explicitly passed already would never hit POSTROUTING and the rest of the world.