LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-19-2013, 05:57 PM   #1
peridian
Member
 
Registered: Jan 2010
Posts: 55

Rep: Reputation: 16
iptables setup to block all traffic except HTTP Outbound


Hi,

I've been trying to setup the iptables file on a box by copying one from an existing setup. I want it to block all inbound and only have outbound or forwarding allowed for HTTP traffic.

I can't quite get this to work, the DNS lookups keep failing. Can anybody tell me what I've missed?

Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall - [0:0]
:RH-Firewall-Outbound - [0:0]
-A INPUT -j RH-Firewall
-A FORWARD -j RH-Firewall-Outbound
-A FORWARD -j RH-Firewall
-A OUTPUT -j RH-Firewall-Outbound
-A OUTPUT -j RH-Firewall

# Allow loopback adapter
-A RH-Firewall -i lo -j ACCEPT

# Block all low-level network commands
-A RH-Firewall -p icmp --icmp-type any -j REJECT --reject-with icmp-host-prohibited

# Standard setup allows protocol 50/1
-A RH-Firewall-Outbound -p 50 -j ACCEPT
-A RH-Firewall-Outbound -p 51 -j ACCEPT

# Not sure what this one is for...
-A RH-Firewall-Outbound -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

# Not sure what port 631 is for...
-A RH-Firewall-Outbound -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-Outbound -p tcp -m tcp --dport 631 -j ACCEPT

# Allow established connections
-A RH-Firewall -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow HTTP/S traffic heading out of the gateway at 192.168.1.254
-A RH-Firewall-Outbound -m state --state NEW -m tcp -p tcp --dport 80 -d 192.168.1.0/24 -j ACCEPT
-A RH-Firewall-Outbound -m state --state NEW -m tcp -p tcp --dport 443 -d 192.168.1.0/24 -j ACCEPT

# Block anything else
-A RH-Firewall -j REJECT --reject-with icmp-host-prohibited
COMMIT
Regards,
Rob.
 
Old 03-19-2013, 06:30 PM   #2
yowi
Member
 
Registered: Dec 2002
Location: Au
Distribution: Debian
Posts: 209

Rep: Reputation: 52
Quote:
Originally Posted by peridian View Post
block all inbound and only have outbound or forwarding allowed for HTTP traffic.

... DNS lookups keep failing. Can anybody tell me what I've missed?
You've blocked DNS...

I think you've picked a bad example to start from.

Should write more but it's late, here's a list of common port assignments anyway:
http://en.wikipedia.org/wiki/List_of...P_port_numbers.
 
Old 03-20-2013, 03:23 PM   #3
peridian
Member
 
Registered: Jan 2010
Posts: 55

Original Poster
Rep: Reputation: 16
Doh, you're absolutely right. Didn't realise port 53 was the DNS. It appears it was in the original but I removed it.

Thanks for that.

Regards,
Rob.
 
Old 03-22-2013, 12:19 PM   #4
yowi
Member
 
Registered: Dec 2002
Location: Au
Distribution: Debian
Posts: 209

Rep: Reputation: 52
Some detail on why I think you've picked a bad example:
All chains default to accept - Why oh why oh why? Basic security policy is deny unless accepted so set default to drop or reject and only accept on your chosen specific criteria.

Forward chain:
Drop by default.
Are you routing or bridging or something? If not, Forward needs no rules and there's no need for the RH-Firewall chains.

Inbound chain:
Drop by default to leave port scans and unwanted connection attempts to timeout.
Packets from established connections only are accepted so:
Code:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
is all that's needed because everything else is dropped by default, super simple.

Output chain:
Reject by default to give a quick refusal to your client software.
You say you only want HTTP so accept TCP connections to port 80 (and 443 for HTTPS I guess) and hope no one ever needs to get to a http server that's running on a non-standard port.
And DNS on 53.

The problem with output restrictions is that it can be problematic for legitimate users and only an annoyance to a determined attacker who will simply run whatever he wants over the ports you are permitting to a server he controls. You need a http-proxy and internal DNS service to block those holes.

PS
Rusty's HOW-TO is recommended reading:
http://www.netfilter.org/documentati...ing-HOWTO.html

Last edited by yowi; 03-22-2013 at 12:23 PM.
 
Old 03-23-2013, 10:05 AM   #5
peridian
Member
 
Registered: Jan 2010
Posts: 55

Original Poster
Rep: Reputation: 16
Excellent, thanks for the advice and the link, that was very useful.

Cheers,
Rob.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how does one block OUTBOUND ssh traffic nass Linux - Security 3 09-13-2012 11:32 AM
Can i use iptables to redirect all outbound ethernet traffic to an........ fruittool Linux - Networking 2 07-13-2012 06:16 AM
How to allow/block application-specific outbound traffic? vansteen Linux - Networking 7 08-13-2009 10:56 AM
how capture http outbound traffic to analyze user activities to the internet hanarina Linux - Networking 1 03-19-2009 12:37 AM
iptables outbound traffic to all ports sunlinux Linux - Security 1 12-01-2007 11:46 AM


All times are GMT -5. The time now is 07:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration