Hi,

We have a Suse 8 box as the gateway for our network and we want to
prevent traffic from the internal network going out via specific ports
to the WAN. However, we want the internal network machines to still
be able to communicate via these same ports. We basically want to
prevent any worms that may have snuck into our LAN from going out and
getting our subnet banned by the WAN gateway

I'm a complete newbie at this. The only way to firewall in Linux I
know is using Suse's Yast2 control centre which has a simple firewall.

I would really appreciate any help on this.

Thanks

its a much better idea to set the firewall to block EVERYTHING... and only allow what you need / use.

The problem is, the firewall blocks incoming traffic fine. However, I also need to block outgoing traffic but don't know how.

same way you block incomming traffic, but place the fules in the OUTPUT chain.


somthing like this ?

Ok. But say I want to block outbound traffic from port 445 only, could I just say:

iptables -A OUPUT -p tcp --dport 445 -j DROP

?

Thanks

--dport means destination port....
--sport means source port... but i have no idea why you would want to use source port ! the Source ports are high (bugger than 1024) and random.

i think you mean destination port ?

but yes you could do that... but that rule wouldnt do anything.

Well, i think you missread the previous topic ... how come this rule wouldn't work fine?

When Data is apssed from one place to anouther, it travels in somthing called a Packet... ICMP UDP or TCP. TCP and UDP packets use UNIX ports types of iterfaces.

for example.. if somthing is addressed to port 80... the data is delivered to any program listeening to port 80.. usually a http web server.

To ports are standardised... there are FTP ports, HTTP ports, HTTPS ports, SSH TELNET SMTP POP.. the list goes on... now, because these destination ports are standardised, you can use a firewall to block all packets, except those beonging to a wanted service... like http web pages...

However, Source ports are usually random... not standardised, so writing firewall rules for them is rarely included.

its much better to use a firewall that blocks everything, except a selected few ports, rather than a firewall that allows everything except a few specified ports.

Currently we're just using SuSEFirewall2 through the Yast2 interface. Our head IT guy wants to keep it simple and doesn't want to turn on the "protect from internal network" feature, so I'm kind of in a conundrum. He just wants port 445 sealed off since the WAN admins detected garbage coming out of port 445.

So does that mean that the source port is 445? Should I, as root, do:

iptables -A OUTPUT -p tcp --sport 445 -j DROP
iptables -A OUTPUT -p udp --sport 445 -j DROP

Yes......
but like i said earlyer.... the fact that this traffic isnt blocked already shows you have some major problems with your firewall settings.

I'm having an issue similar to this. I have my firewall shored up to block all ports coming in, unless they are requested. Its basically a stateful firewall. So if a client on my lan asked for something the firewall will naturally allow the outgoing packet to pass. I think that one of my boxes has been owned or something. I have checked for rootkits and any known exploits and have been capturing packets promiscuously and have noticed some funny activity. I have seen alot of activity in the ports range of 6881-6889 . I had opened these ports earlier to allow some bit-torrent connectivity, but have since closed them. I have a 6.5Mb connection, and It has basically been crippled to a measly 300k. I have noticed alot of outgoing traffic but no incoming. I know that I do not have any torrents running. and I have a firewall on each pc on my lan. I have been checking top on all of my systems to see if the torrent client is in zombie or something, but its pretty much all clear,and the load on the system is low. I was wondering if there is any known exploit with the bit-torrent client for linux? Since it runs in Python, I'm no programmer, but Im pretty sure that someone could do it. I'm also concerned about my top program on each system.I know its possible for someone to falsify or totally change that command. Is there a way to verify that top has not been tampered with? I have snort running and have not seen any attacks, I also have tripwire running and haven't noticed any changes to the torrent client. I think I have been totally hacked and owned, and some hacker is using my lan as a proxy. Any thoughts, comments or suggestions would be appreciated!