Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-22-2004, 01:51 PM
|
#1
|
LQ Newbie
Registered: Sep 2004
Posts: 6
Rep:
|
Blocking outgoing traffic from a specific port
Hi,
We have a Suse 8 box as the gateway for our network and we want to
prevent traffic from the internal network going out via specific ports
to the WAN. However, we want the internal network machines to still
be able to communicate via these same ports. We basically want to
prevent any worms that may have snuck into our LAN from going out and
getting our subnet banned by the WAN gateway
I'm a complete newbie at this. The only way to firewall in Linux I
know is using Suse's Yast2 control centre which has a simple firewall.
I would really appreciate any help on this.
Thanks
|
|
|
09-22-2004, 03:25 PM
|
#2
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
its a much better idea to set the firewall to block EVERYTHING... and only allow what you need / use.
|
|
|
09-22-2004, 04:04 PM
|
#3
|
LQ Newbie
Registered: Sep 2004
Posts: 6
Original Poster
Rep:
|
The problem is, the firewall blocks incoming traffic fine. However, I also need to block outgoing traffic but don't know how.
|
|
|
09-22-2004, 08:11 PM
|
#4
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
same way you block incomming traffic, but place the fules in the OUTPUT chain.
Code:
#allow the machine to talk to itself...
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -o lo -j ACCEPT
#allow established and related traffic
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow html web pages
iptables -A OUPUT -p tcp --dport html -j ACCEPT
#allow shtml web pages
iptables -A OUPUT -p tcp --dport shtml -j ACCEPT
#allow ftp
iptables -A OUPUT -p tcp --dport ftp -j ACCEPT
#allow remote ssh logins
iptables -A OUPUT -p tcp --dport ssh -j ACCEPT
#allow email
iptables -A OUPUT -p tcp --dport pop3 -j ACCEPT
iptables -A OUPUT -p tcp --dport smtp -j ACCEPT
#drop all else
iptables -P OUTPUT DROP
somthing like this ?
|
|
|
09-22-2004, 08:18 PM
|
#5
|
LQ Newbie
Registered: Sep 2004
Posts: 6
Original Poster
Rep:
|
Ok. But say I want to block outbound traffic from port 445 only, could I just say:
iptables -A OUPUT -p tcp --dport 445 -j DROP
?
Thanks
|
|
|
09-23-2004, 05:26 AM
|
#6
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
--dport means destination port....
--sport means source port... but i have no idea why you would want to use source port ! the Source ports are high (bugger than 1024) and random.
i think you mean destination port ?
but yes you could do that... but that rule wouldnt do anything.
|
|
|
09-23-2004, 09:17 AM
|
#7
|
LQ Newbie
Registered: Sep 2004
Posts: 12
Rep:
|
Quote:
Originally posted by qwijibow
--dport means destination port....
--sport means source port... but i have no idea why you would want to use source port ! the Source ports are high (bugger than 1024) and random.
i think you mean destination port ?
but yes you could do that... but that rule wouldnt do anything.
|
Well, i think you missread the previous topic ... how come this rule wouldn't work fine?
|
|
|
09-23-2004, 10:22 AM
|
#8
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
When Data is apssed from one place to anouther, it travels in somthing called a Packet... ICMP UDP or TCP. TCP and UDP packets use UNIX ports types of iterfaces.
for example.. if somthing is addressed to port 80... the data is delivered to any program listeening to port 80.. usually a http web server.
To ports are standardised... there are FTP ports, HTTP ports, HTTPS ports, SSH TELNET SMTP POP.. the list goes on... now, because these destination ports are standardised, you can use a firewall to block all packets, except those beonging to a wanted service... like http web pages...
However, Source ports are usually random... not standardised, so writing firewall rules for them is rarely included.
its much better to use a firewall that blocks everything, except a selected few ports, rather than a firewall that allows everything except a few specified ports.
|
|
|
09-24-2004, 09:30 AM
|
#9
|
LQ Newbie
Registered: Sep 2004
Posts: 6
Original Poster
Rep:
|
Quote:
Originally posted by qwijibow
When Data is apssed from one place to anouther, it travels in somthing called a Packet... ICMP UDP or TCP. TCP and UDP packets use UNIX ports types of iterfaces.
for example.. if somthing is addressed to port 80... the data is delivered to any program listeening to port 80.. usually a http web server.
To ports are standardised... there are FTP ports, HTTP ports, HTTPS ports, SSH TELNET SMTP POP.. the list goes on... now, because these destination ports are standardised, you can use a firewall to block all packets, except those beonging to a wanted service... like http web pages...
However, Source ports are usually random... not standardised, so writing firewall rules for them is rarely included.
its much better to use a firewall that blocks everything, except a selected few ports, rather than a firewall that allows everything except a few specified ports.
|
Currently we're just using SuSEFirewall2 through the Yast2 interface. Our head IT guy wants to keep it simple and doesn't want to turn on the "protect from internal network" feature, so I'm kind of in a conundrum. He just wants port 445 sealed off since the WAN admins detected garbage coming out of port 445.
So does that mean that the source port is 445? Should I, as root, do:
iptables -A OUTPUT -p tcp --sport 445 -j DROP
iptables -A OUTPUT -p udp --sport 445 -j DROP
|
|
|
09-24-2004, 10:55 AM
|
#10
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
Yes......
but like i said earlyer.... the fact that this traffic isnt blocked already shows you have some major problems with your firewall settings.
|
|
|
09-24-2004, 08:10 PM
|
#11
|
Member
Registered: Apr 2004
Distribution: slackware/FreeBSD/Vector
Posts: 291
Rep:
|
A related issue with worms, etc on inside of firewall
I'm having an issue similar to this. I have my firewall shored up to block all ports coming in, unless they are requested. Its basically a stateful firewall. So if a client on my lan asked for something the firewall will naturally allow the outgoing packet to pass. I think that one of my boxes has been owned or something. I have checked for rootkits and any known exploits and have been capturing packets promiscuously and have noticed some funny activity. I have seen alot of activity in the ports range of 6881-6889 . I had opened these ports earlier to allow some bit-torrent connectivity, but have since closed them. I have a 6.5Mb connection, and It has basically been crippled to a measly 300k. I have noticed alot of outgoing traffic but no incoming. I know that I do not have any torrents running. and I have a firewall on each pc on my lan. I have been checking top on all of my systems to see if the torrent client is in zombie or something, but its pretty much all clear,and the load on the system is low. I was wondering if there is any known exploit with the bit-torrent client for linux? Since it runs in Python, I'm no programmer, but Im pretty sure that someone could do it. I'm also concerned about my top program on each system.I know its possible for someone to falsify or totally change that command. Is there a way to verify that top has not been tampered with? I have snort running and have not seen any attacks, I also have tripwire running and haven't noticed any changes to the torrent client. I think I have been totally hacked and owned, and some hacker is using my lan as a proxy. Any thoughts, comments or suggestions would be appreciated!
|
|
|
All times are GMT -5. The time now is 11:26 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|