LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 04-28-2009, 04:07 PM   #1
xoros
Member
 
Registered: Jun 2003
Posts: 45

Rep: Reputation: 15
Iptables Control Outbound Connections - need help


I want to have this script run at start up and add these rules to iptables. But, do I have to flush all chains first? Or will this work ok, how it is?

My virtual machine software places a bunch of rules in there and I didn't want it to conflict with that. I'm not sure what all the processes are that the vm uses, so kind of difficult to whitelist that.

Any ideas/suggestions? Should I try to whitelist the vm?

Code:
#!/bin/bash
# -WOPP- Whitelist Outbound Processes/Programs
# v1.0 by xoros
# Purpose: You don't need to allow -ALL- outbound traffic -ALL- the time!

# First we define normal services to be allowed
# Comment-out any to turn off what you don't want
# accept localhost traffic
iptables -A INPUT -i lo -j ACCEPT
# accept dns tcp
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT 
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT 
# accept dns udp
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT 
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# accept dhcp
iptables -A INPUT -p udp -m udp --sport 67:68 -j ACCEPT 
iptables -A OUTPUT -p udp -m udp --dport 67:68 -j ACCEPT
# accept http and https
iptables -A INPUT -p tcp -m multiport --sports 80,88,443 -j ACCEPT 
iptables -A OUTPUT -p tcp -m multiport --dports 80,88,443 -j ACCEPT
# mail tsl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT 
# mail ssl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT

# Now we can use our whitelist
# Manually use "ps aux" to find names
# Substitute "wprocessname1..etc" with names you want
WHTPROC="wprocessname1
wprocessname2
wprocessname3
wprocessname4"
for whtproc in $WHTPROC
do
pid=""
pid=`ps aux | grep $whtproc | head -n 1 | cut -b 10-14`
iptables -A OUTPUT -p tcp -m owner --pid-owner $pid -j ACCEPT
iptables -A OUTPUT -p udp -m owner --pid-owner $pid -j ACCEPT
done

# Drop everything else
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Last edited by xoros; 04-28-2009 at 04:39 PM.
 
Old 04-28-2009, 04:14 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,345

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
well it doesn't look like it would conflict, expect the default drops at the bottom, but you've not said anything about what distro / firewall system you're currently using. it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.
 
Old 04-28-2009, 04:33 PM   #3
xoros
Member
 
Registered: Jun 2003
Posts: 45

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acid_kewpie View Post
it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.
I thought iptables for linux is basically the same for no matter which distro you are using.

I guess i'm having a hard time figuring out how to integrate them with the rules already in place from what the vm software put there.

If I just whitelist whatever process the vm software is (and needs) will it work the same as if it was using it's own previous rules?
 
Old 04-28-2009, 04:40 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,345

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
iptables is the same, but there are a million ways to control configuration files and services around iptables, which is just a command line tool that needs something to use it.
 
Old 04-28-2009, 04:51 PM   #5
xoros
Member
 
Registered: Jun 2003
Posts: 45

Original Poster
Rep: Reputation: 15
I know how to get the script to run at start up. That is not my problem.

My main question/problem is:
Quote:
Will my "whitelisting method" applied to a program that already made it's own rules; allow itself to work as if it was using it's PREVIOUS rules?
In other words, does allowing the process, work the same as just allowing certain ip ranges, port ranges etc... ??

For example, I have something similar to this already in iptables:
Code:
-A POSTROUTING -s 192.168.xxx.0/24 -d ! 192.168.xxx.0/24 -j MASQUERADE
Will allowing by process name, or my "OUTPUT -j DROP" mess that up?

Last edited by xoros; 04-28-2009 at 05:19 PM.
 
Old 04-29-2009, 05:30 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,345

Rep: Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945Reputation: 1945
Again, it depends how these rules are being implemented, so again can depend on what distro and firewall mechanism you are using. is it a secret??

in your specific example, you have a nat operation and a filter operation, so they wouldn't directly conflict as POSTROUTING is always done after OUTPUT. Of course a catchall DROP in OUTPUT would mean nothing explicitly passed already would never hit POSTROUTING and the rest of the world.
 
  


Reply

Tags
filter, firewall, iptables, outbound, process, virtual, vm


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Netgear DG834: allow outbound connections back in hamish Linux - Networking 1 04-24-2007 05:11 PM
Only allow outbound connections CrEsPo Linux - Security 4 01-01-2007 11:54 AM
programs making outbound connections six6 Debian 2 11-03-2004 11:04 PM
cannot make outbound anonymous ftp connections kvankawala Linux - Software 1 03-23-2004 12:30 PM
suspicious outbound connections di11rod Linux - Networking 13 01-23-2004 02:55 AM


All times are GMT -5. The time now is 07:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration