LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-22-2007, 09:36 AM   #1
reverse
Member
 
Registered: Apr 2007
Distribution: Gentoo
Posts: 337

Rep: Reputation: 30
iptables / output *drop* policy


Suppose your iptables script starts with something like the following:

Code:
iptables -P OUTPUT DROP
As you still want to be able to send email, use a Web browser, and what not other various tasks, you'll have to explicitly enable them. My question is as follows: are there any special considerations to be taken care of so that you do not end up sabotaging your system (i.e. you have to allow DNS requests) ("gotchas" perhaps)?

Also: is it possible to only allow certain binaries to send packets? I.e. you want your users to be able to IRC, but in order to do this they *have* to use /usr/bin/irc_client; running ~/irc_client would not have to work. Apply this for all protocols. Again, would this be dangerous (sabotaging your system)?

Last edited by reverse; 11-22-2007 at 09:37 AM.
 
Old 11-22-2007, 10:14 AM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Quote:
My question is as follows: are there any special considerations to be taken care of so that you do not end up sabotaging your system (i.e. you have to allow DNS requests) ("gotchas" perhaps)?
You must allow the loopback interface.

For everything else, make a list of services you want to access out of the box, where, and under what circumstances... allow those. You'll soon know if you missed one.

Quote:
Also: is it possible to only allow certain binaries to send packets? I.e. you want your users to be able to IRC, but in order to do this they *have* to use /usr/bin/irc_client; running ~/irc_client would not have to work.
The best way to force users to use only a specific application is to deny them access to any others on the box. The best way to do that is to remove them all.

It's usually only a concern if you know an application has a specific exploit that you would like to avoid.

I understand you can use the --cmd-owner option to allow connections based on the launching process.

There is a highly entertaining and interesting discussion on outbound policies here:
http://ubuntuforums.org/showthread.php?t=131616&page=4
 
Old 11-22-2007, 10:17 AM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Yeah, starting with a DROP policy for OUTPUT is quite healthy. There are no "gotchas" at all. You basically make ACCEPT rules for the stuff you want to allow and that's it. Of course, if it's the first time you take this approach then most likely you'll have to look at your log file a couple times to figure-out why something isn't working.

As for the question about making rules for certain binaries, I think the --cmd-owner parameter for the owner module does this, but I've never used it so I'm not sure. From "man iptables" on Ubuntu 7.10:
Code:
       --cmd-owner name
              Matches  if  the  packet was created by a process with the given
              command name.

              (Please note: This option requires kernel support that might not
              be  available in official Linux kernel sources or Debianís pack‐
              aged Linux kernel sources.  And if support for  this  option  is
              available  for  the  specific  Linux kernel source version, that
              support might  not  be  enabled  in  the  current  Linux  kernel
              binary.)

       NOTE: pid, sid and command matching are broken on SMP
EDIT: Beaten by Simon Bridge!

Last edited by win32sux; 11-22-2007 at 10:19 AM.
 
Old 11-22-2007, 10:39 AM   #4
reverse
Member
 
Registered: Apr 2007
Distribution: Gentoo
Posts: 337

Original Poster
Rep: Reputation: 30
Thanks for the replies guys. Well, I was thinking restricting certain connections to specific originating binaries could help against *some* connect-back shellcode?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables -P OUTPUT DROP ygloo Linux - Networking 4 11-23-2006 02:01 PM
Iptables drop policy problem Dakkar Linux - General 5 10-18-2006 02:38 PM
iptables - default output policy ridertech Linux - Networking 1 05-08-2004 06:37 PM
iptables OUTPUT rules: DROP by process (PID)? gregory76 Linux - Security 6 07-11-2003 04:28 PM
WU-FTPD and IPTABLES DROP Policy Cpare Linux - Networking 0 10-23-2001 09:19 PM


All times are GMT -5. The time now is 06:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration