-   Linux - Networking (
-   -   Iptables Control Outbound Connections - need help (

xoros 04-28-2009 05:07 PM

Iptables Control Outbound Connections - need help
I want to have this script run at start up and add these rules to iptables. But, do I have to flush all chains first? Or will this work ok, how it is?

My virtual machine software places a bunch of rules in there and I didn't want it to conflict with that. I'm not sure what all the processes are that the vm uses, so kind of difficult to whitelist that.

Any ideas/suggestions? Should I try to whitelist the vm?


# -WOPP- Whitelist Outbound Processes/Programs
# v1.0 by xoros
# Purpose: You don't need to allow -ALL- outbound traffic -ALL- the time!

# First we define normal services to be allowed
# Comment-out any to turn off what you don't want
# accept localhost traffic
iptables -A INPUT -i lo -j ACCEPT
# accept dns tcp
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
# accept dns udp
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# accept dhcp
iptables -A INPUT -p udp -m udp --sport 67:68 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 67:68 -j ACCEPT
# accept http and https
iptables -A INPUT -p tcp -m multiport --sports 80,88,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,88,443 -j ACCEPT
# mail tsl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
# mail ssl outbound
# iptables -A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT

# Now we can use our whitelist
# Manually use "ps aux" to find names
# Substitute "wprocessname1..etc" with names you want
for whtproc in $WHTPROC
pid=`ps aux | grep $whtproc | head -n 1 | cut -b 10-14`
iptables -A OUTPUT -p tcp -m owner --pid-owner $pid -j ACCEPT
iptables -A OUTPUT -p udp -m owner --pid-owner $pid -j ACCEPT

# Drop everything else
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

acid_kewpie 04-28-2009 05:14 PM

well it doesn't look like it would conflict, expect the default drops at the bottom, but you've not said anything about what distro / firewall system you're currently using. it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.

xoros 04-28-2009 05:33 PM


Originally Posted by acid_kewpie (Post 3523982)
it's normally a much better option to take these rules and add them to your normal iptables configuration, e.g. /etc/sysconfig/iptables on a redhat / fedora system.

I thought iptables for linux is basically the same for no matter which distro you are using.

I guess i'm having a hard time figuring out how to integrate them with the rules already in place from what the vm software put there.

If I just whitelist whatever process the vm software is (and needs) will it work the same as if it was using it's own previous rules?

acid_kewpie 04-28-2009 05:40 PM

iptables is the same, but there are a million ways to control configuration files and services around iptables, which is just a command line tool that needs something to use it.

xoros 04-28-2009 05:51 PM

I know how to get the script to run at start up. That is not my problem.

My main question/problem is:

Will my "whitelisting method" applied to a program that already made it's own rules; allow itself to work as if it was using it's PREVIOUS rules?
In other words, does allowing the process, work the same as just allowing certain ip ranges, port ranges etc... ??

For example, I have something similar to this already in iptables:

Will allowing by process name, or my "OUTPUT -j DROP" mess that up?

acid_kewpie 04-29-2009 06:30 AM

Again, it depends how these rules are being implemented, so again can depend on what distro and firewall mechanism you are using. is it a secret??

in your specific example, you have a nat operation and a filter operation, so they wouldn't directly conflict as POSTROUTING is always done after OUTPUT. Of course a catchall DROP in OUTPUT would mean nothing explicitly passed already would never hit POSTROUTING and the rest of the world.

All times are GMT -5. The time now is 01:35 AM.