LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-22-2004, 02:51 PM   #1
billy3
LQ Newbie
 
Registered: Sep 2004
Posts: 6

Rep: Reputation: 0
Blocking outgoing traffic from a specific port


Hi,

We have a Suse 8 box as the gateway for our network and we want to
prevent traffic from the internal network going out via specific ports
to the WAN. However, we want the internal network machines to still
be able to communicate via these same ports. We basically want to
prevent any worms that may have snuck into our LAN from going out and
getting our subnet banned by the WAN gateway

I'm a complete newbie at this. The only way to firewall in Linux I
know is using Suse's Yast2 control centre which has a simple firewall.

I would really appreciate any help on this.

Thanks
 
Old 09-22-2004, 04:25 PM   #2
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
its a much better idea to set the firewall to block EVERYTHING... and only allow what you need / use.
 
Old 09-22-2004, 05:04 PM   #3
billy3
LQ Newbie
 
Registered: Sep 2004
Posts: 6

Original Poster
Rep: Reputation: 0
The problem is, the firewall blocks incoming traffic fine. However, I also need to block outgoing traffic but don't know how.
 
Old 09-22-2004, 09:11 PM   #4
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
same way you block incomming traffic, but place the fules in the OUTPUT chain.

Code:
#allow the machine to talk to itself...
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT   
#allow established and related traffic
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow html web pages
iptables -A OUPUT -p tcp --dport html -j ACCEPT
#allow shtml web pages
iptables -A OUPUT -p tcp --dport shtml -j ACCEPT
#allow ftp
iptables -A OUPUT -p tcp --dport ftp -j ACCEPT
#allow remote ssh logins
iptables -A OUPUT -p tcp --dport ssh -j ACCEPT
#allow email
iptables -A OUPUT -p tcp --dport pop3 -j ACCEPT
iptables -A OUPUT -p tcp --dport smtp -j ACCEPT
#drop all else
iptables -P OUTPUT DROP

somthing like this ?
 
Old 09-22-2004, 09:18 PM   #5
billy3
LQ Newbie
 
Registered: Sep 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Ok. But say I want to block outbound traffic from port 445 only, could I just say:

iptables -A OUPUT -p tcp --dport 445 -j DROP

?

Thanks
 
Old 09-23-2004, 06:26 AM   #6
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
--dport means destination port....
--sport means source port... but i have no idea why you would want to use source port ! the Source ports are high (bugger than 1024) and random.

i think you mean destination port ?

but yes you could do that... but that rule wouldnt do anything.
 
Old 09-23-2004, 10:17 AM   #7
xnd
LQ Newbie
 
Registered: Sep 2004
Posts: 12

Rep: Reputation: 0
Quote:
Originally posted by qwijibow
--dport means destination port....
--sport means source port... but i have no idea why you would want to use source port ! the Source ports are high (bugger than 1024) and random.

i think you mean destination port ?

but yes you could do that... but that rule wouldnt do anything.
Well, i think you missread the previous topic ... how come this rule wouldn't work fine?
 
Old 09-23-2004, 11:22 AM   #8
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
When Data is apssed from one place to anouther, it travels in somthing called a Packet... ICMP UDP or TCP. TCP and UDP packets use UNIX ports types of iterfaces.

for example.. if somthing is addressed to port 80... the data is delivered to any program listeening to port 80.. usually a http web server.

To ports are standardised... there are FTP ports, HTTP ports, HTTPS ports, SSH TELNET SMTP POP.. the list goes on... now, because these destination ports are standardised, you can use a firewall to block all packets, except those beonging to a wanted service... like http web pages...

However, Source ports are usually random... not standardised, so writing firewall rules for them is rarely included.

its much better to use a firewall that blocks everything, except a selected few ports, rather than a firewall that allows everything except a few specified ports.
 
Old 09-24-2004, 10:30 AM   #9
billy3
LQ Newbie
 
Registered: Sep 2004
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by qwijibow
When Data is apssed from one place to anouther, it travels in somthing called a Packet... ICMP UDP or TCP. TCP and UDP packets use UNIX ports types of iterfaces.

for example.. if somthing is addressed to port 80... the data is delivered to any program listeening to port 80.. usually a http web server.

To ports are standardised... there are FTP ports, HTTP ports, HTTPS ports, SSH TELNET SMTP POP.. the list goes on... now, because these destination ports are standardised, you can use a firewall to block all packets, except those beonging to a wanted service... like http web pages...

However, Source ports are usually random... not standardised, so writing firewall rules for them is rarely included.

its much better to use a firewall that blocks everything, except a selected few ports, rather than a firewall that allows everything except a few specified ports.
Currently we're just using SuSEFirewall2 through the Yast2 interface. Our head IT guy wants to keep it simple and doesn't want to turn on the "protect from internal network" feature, so I'm kind of in a conundrum. He just wants port 445 sealed off since the WAN admins detected garbage coming out of port 445.

So does that mean that the source port is 445? Should I, as root, do:

iptables -A OUTPUT -p tcp --sport 445 -j DROP
iptables -A OUTPUT -p udp --sport 445 -j DROP
 
Old 09-24-2004, 11:55 AM   #10
qwijibow
Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
Yes......
but like i said earlyer.... the fact that this traffic isnt blocked already shows you have some major problems with your firewall settings.
 
Old 09-24-2004, 09:10 PM   #11
tekhead2
Member
 
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291

Rep: Reputation: 52
Question A related issue with worms, etc on inside of firewall

I'm having an issue similar to this. I have my firewall shored up to block all ports coming in, unless they are requested. Its basically a stateful firewall. So if a client on my lan asked for something the firewall will naturally allow the outgoing packet to pass. I think that one of my boxes has been owned or something. I have checked for rootkits and any known exploits and have been capturing packets promiscuously and have noticed some funny activity. I have seen alot of activity in the ports range of 6881-6889 . I had opened these ports earlier to allow some bit-torrent connectivity, but have since closed them. I have a 6.5Mb connection, and It has basically been crippled to a measly 300k. I have noticed alot of outgoing traffic but no incoming. I know that I do not have any torrents running. and I have a firewall on each pc on my lan. I have been checking top on all of my systems to see if the torrent client is in zombie or something, but its pretty much all clear,and the load on the system is low. I was wondering if there is any known exploit with the bit-torrent client for linux? Since it runs in Python, I'm no programmer, but Im pretty sure that someone could do it. I'm also concerned about my top program on each system.I know its possible for someone to falsify or totally change that command. Is there a way to verify that top has not been tampered with? I have snort running and have not seen any attacks, I also have tripwire running and haven't noticed any changes to the torrent client. I think I have been totally hacked and owned, and some hacker is using my lan as a proxy. Any thoughts, comments or suggestions would be appreciated!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 01:09 AM
Blocking outgoing TCP F M J Linux - Networking 13 09-06-2005 01:59 AM
Kernel 2.4.26, slack 8.0: blocking outgoing traffic coindood Linux - Networking 3 06-03-2004 11:15 PM
Blocking Traffic on a specific port (kazaa) GratePayne Linux - Security 4 05-09-2004 10:10 AM
specific port traffic graph using mrtg newpenguin Linux - Networking 7 12-16-2003 07:00 PM


All times are GMT -5. The time now is 10:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration