iptables / output *drop* policy

reverse · 11-22-2007, 09:36 AM

Suppose your iptables script starts with something like the following:

Code:

iptables -P OUTPUT DROP

As you still want to be able to send email, use a Web browser, and what not other various tasks, you'll have to explicitly enable them. My question is as follows: are there any special considerations to be taken care of so that you do not end up sabotaging your system (i.e. you have to allow DNS requests) ("gotchas" perhaps)?

Also: is it possible to only allow certain binaries to send packets? I.e. you want your users to be able to IRC, but in order to do this they *have* to use /usr/bin/irc_client; running ~/irc_client would not have to work. Apply this for all protocols. Again, would this be dangerous (sabotaging your system)?

Simon Bridge · 11-22-2007, 10:14 AM

Quote:

My question is as follows: are there any special considerations to be taken care of so that you do not end up sabotaging your system (i.e. you have to allow DNS requests) ("gotchas" perhaps)?

You must allow the loopback interface.

For everything else, make a list of services you want to access out of the box, where, and under what circumstances... allow those. You'll soon know if you missed one.

Quote:

Also: is it possible to only allow certain binaries to send packets? I.e. you want your users to be able to IRC, but in order to do this they *have* to use /usr/bin/irc_client; running ~/irc_client would not have to work.

The best way to force users to use only a specific application is to deny them access to any others on the box. The best way to do that is to remove them all.

It's usually only a concern if you know an application has a specific exploit that you would like to avoid.

I understand you can use the --cmd-owner option to allow connections based on the launching process.

There is a highly entertaining and interesting discussion on outbound policies here:
http://ubuntuforums.org/showthread.php?t=131616&page=4

win32sux · 11-22-2007, 10:17 AM

Yeah, starting with a DROP policy for OUTPUT is quite healthy. There are no "gotchas" at all. You basically make ACCEPT rules for the stuff you want to allow and that's it. Of course, if it's the first time you take this approach then most likely you'll have to look at your log file a couple times to figure-out why something isn't working.

As for the question about making rules for certain binaries, I think the --cmd-owner parameter for the owner module does this, but I've never used it so I'm not sure. From "man iptables" on Ubuntu 7.10:

Code:

       --cmd-owner name
              Matches  if  the  packet was created by a process with the given
              command name.

              (Please note: This option requires kernel support that might not
              be  available in official Linux kernel sources or Debian’s pack‐
              aged Linux kernel sources.  And if support for  this  option  is
              available  for  the  specific  Linux kernel source version, that
              support might  not  be  enabled  in  the  current  Linux  kernel
              binary.)

       NOTE: pid, sid and command matching are broken on SMP

EDIT: Beaten by Simon Bridge!

reverse · 11-22-2007, 10:39 AM

Thanks for the replies guys. Well, I was thinking restricting certain connections to specific originating binaries could help against *some* connect-back shellcode?