Did you know LQ has a Linux Hardware Compatibility List?
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-29-2005, 08:27 AM   #1
LQ Newbie
Registered: Dec 2004
Posts: 5

Rep: Reputation: 0
SuSEfirewall - how to block outgoing connections

I've a SuSE 9.1 and use SuSEfirewall, how can I lock outgoing connection from the pc in the network?
For example I would like to lock outgoing connection using the tcp port 4662 (emule).
Old 03-30-2005, 05:52 PM   #2
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
I had Suse and didn't like the scripting of the firewall, so I deleted the init scripts and put up my own simple iptable commands.

iptables -A OUTPUT -p tcp --source-port 4662 -j DROP


iptables -A OUTPUT -p tcp --destination-port 4662 -j DROP

will be silently discarded or you can use -j REJECT so that the application doesn't have to wait for the timeout.
Old 04-02-2005, 05:20 PM   #3
Registered: Jan 2004
Distribution: suse/slack/gentoo/lfs (not-in-that-order)
Posts: 281

Rep: Reputation: 30
would you mind giving a couple line example for configuring IP Table to allow only evolution and firefox to access the internet for instance?
Old 04-02-2005, 07:27 PM   #4
Registered: Jul 2003
Distribution: RH 7.3 , RH9,RHEL,FC
Posts: 38

Rep: Reputation: 15
forward chain

if you are forwarding internet by masquerading your internal network, such as a rule

Iptables -t nat -A POSTROUTING -o eth-external -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

you should insert a rule above the forward chain (established, related) to expressly deny port 4662, since you are trying to block it as a destination port, you will only need the --dport flag in your forward rul

Iptables -t nat -A POSTROUTING -o eth-external -j ACCEPT
iptables -A FORWARD -p tcp --dport 4462 -j DROP/REJECT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth-internal -s -j ACCEPT
Old 04-02-2005, 09:08 PM   #5
Senior Member
Registered: Jun 2003
Distribution: Debian/other
Posts: 2,104

Rep: Reputation: 45
would you mind giving a couple line example for configuring IP Table to allow only evolution and firefox to access the internet for instance?
There might be a module that facilitates this functionality ??? - I'm not sure though, somebody else might be able to guide you further on that particular point - however, on a related point, it's worth mentioning for newer users that you can still deploy some useful egress (outbound) filtering ideas via IPtables: - as an example, looking at the outbound filtering aspect for a possible workstation script:

iptables -P OUTPUT DROP  
iptables -A OUTPUT -o lo -j ACCEPT  
iptables -A OUTPUT -o eth0 -p udp --dport 53 --sport 1024:65535 -j ACCEPT  
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,110,443 -j ACCEPT
As you can see, in a relatively straight-forward manner, you can drop all outbound connections, except for access to ports which you explicity define. Admitedly, this isn't discriminating on a per-application basis, but it's a step in the right direction.

Last edited by Skyline; 04-02-2005 at 11:23 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Block outgoing traffic through router? Micro420 Linux - Networking 3 03-15-2005 07:01 AM
firewall outgoing connections hotrodowner Linux - Security 2 02-22-2004 12:51 PM
preventing users to make outgoing connections Shroom Linux - Security 5 06-15-2003 05:57 AM
outgoing connections DonMiner Linux - Networking 2 05-02-2003 09:51 AM
Spurious outgoing connections while browsing LQ the theorist LQ Suggestions & Feedback 1 05-24-2002 10:29 AM

All times are GMT -5. The time now is 07:43 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration