Blocking outgoing connects with iptables

centos iptables firewall
17,132

Solution 1

There are two ways to drop all outgoing traffic except what you explicitly define as ACCEPT. The first is to set the default policy for the OUTPUT chain to drop.

iptables -P OUTPUT DROP

The downside to this method is that when the chain is flushed (all rules removed), all outbound traffic will be dropped. The other way is to put a "blanket" DROP rule at the end of the chain.

iptables -A OUTPUT -j DROP

Without knowing exactly what you need, I can not offer advice on what to accept. I personally use the method of putting a default DROP rule at the end of the chain. You may need to investigate how your GUI is setting rules, otherwise it may conflict with traditional CLI ways of restoring rules on boot (such as /etc/sysconfig/iptables).

Solution 2

Presuming you only want to accept incoming TCP traffic, you can use these rules to restrict outgoing traffic to established TCP connections (which would have to have been initiated from the outside) and IP addresses outside your LAN:

iptables -A INPUT -p tcp -i lo -j ACCEPT
iptables -A INPUT -p tcp -p 22 -j ACCEPT   # repeat for other ports you want to allow
iptables -P INPUT -j DENY
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p tcp \! -d 10.0.0.0/8 -j ACCEPT  # replace by your LAN's network(s)
iptables -A OUTPUT -p tcp \! --syn -j ACCEPT
iptables -P OUTPUT -j DENY

Given your requirements, you may prefer to apply some rules specifically to processes executed by the supporters. Supposing they are in the supporters group, the following rules will deny supporters (and only supporters) all connections (incoming or outgoing) inside your LAN:

iptables -I INPUT \! -i lo -s 10.0.0.0/8 -m owner --gid-owner supporters -j DENY
iptables -I OUTPUT \! -o lo -d 10.0.0.0/8 -m owner --gid-owner supporters -j DENY

Note that gid-owner tests the process's fsgid, which is almost always the effective GID. Unless a process is run setgid or switches its effective GID to a supplementary group, the user's primary group (recorded in the user database, e.g. /etc/passwd) applies.

Solution 3

Consider installing Shorewall as your firewall builder. Use the single interface example as a starting point and doesn't provide any unnecessary outgoing access rules. Required ICMP types are allowed.

You will likely want to provide at least outgoing DNS (name lookup) and NTP (time synchronization) access rules.

Share:
17,132

Related videos on Youtube

Nils
Author by

Nils

I studied information science and did computers from the old Commodore VC-20 onwards. I started during study as pc-admin for DOS, Windows, WfW and all related software and hardware stuff. Later I switched over to servers, starting with linux-samba and NT 3.5/4.0. My first job made me a Solaris admin in a huge company with over 500 solaris servers. There I got every day a new interesting problem that I have never encountered before. My next job brought me into project management and later back to system administration - mainly Linux. It was frustrating to manage a project when you knew that doing the admin`s job yourselv would have the current step finished in less than 30 minutes...

Updated on September 18, 2022

Comments

  • Nils
    Nils over 1 year

    I have a (non production) machine where external supporters have shell-access (non-root). I want to prevent them from going further on into our network from that machine using iptables.

    The "normal" firewall-gui only blocks incoming traffic. How can I set up rules like "accept all incoming traffic (plus response), but allow only new outgoing traffic for specific targets (like snmp-traps to the monitoring server)"?

    OS is CentOS 5

  • Nils
    Nils over 12 years
    DNS - propably not. That server has everything he needs "on board". NTP - sure. The SNMP-Traps were just an example. Shorewall looks interesting. I will try it. Is it comparable to Bastille (Debian version)?
  • Nils
    Nils over 12 years
    The gid-owner looks interesting. Do I have to define INPUT rules at all? All listening services (basically SSH and HTTP) are already well secured by their own means. I don`t care about ICMP in ths setup. Do I have to put up "INPUT" rules at all in this case?
  • Nils
    Nils over 12 years
    Can you please explain the sense of OUTPUT -p tcp \! -d 10/8 -j ACCEPT? This will accept all outgoing tcp traffic that is not going to the LAN?
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' over 12 years
    @Nils You don't strictly need the INPUT rules, but I find it cleaner to block both directions (and they may catch stray UDP packets). Yes, -p tcp \! -d 10/8 -j ACCEPT accepts outgoing TCP traffic going outside the LAN; include it or not depending on what policy you want to implement.
  • BillThor
    BillThor over 12 years
    It has been a long time since I ran Bastille, and it covers different things than Shorewall. Shorewall is strictly about building firewalls. It has several configuration files with clear functions. Many are optional if you need the features. The available documentation makes it easy to get things right and understand what you have done.
  • Nils
    Nils over 12 years
    From what I`ve seen on the Shorewall page it is more like SuSEFirewall - where you define a config-file which will build some rules based on that config.
  • BillThor
    BillThor over 12 years
    With Shorewall there are several files. Once you have defined your interfaces and policies most of the changes should be to the rules file. There are several optional configuration files for traffic shaping, specialized routing, and other features you likely don't need.
  • Nils
    Nils almost 12 years
    Shorewall is a very good tool, but it has shown to be oversized for this purpose.
  • Nils
    Nils almost 12 years
    CentOS uses the FORWARD-chain to allow outgoing traffic for incoming established connections.
  • Nils
    Nils almost 12 years
    I used the -A OUTPUT -j DROP as the last OUTPUT-rule. The first accepts traffic for lo (as outlined by gilles), then I allow a couple of services I need to contact (e.g. to poll via http from the patchserver).
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' over 9 years
    @soubunmei Processes can only choose between the set of groups they were granted initially (unless they're running as root). Unless some process deliberately chooses differently, the user's primary group applies.
  • 把友情留在无盐
    把友情留在无盐 over 9 years
    still it is more common to grant access to groups , instead of deny access to groups . whitelist is easier to implement than blacklist .

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What prevents a machine from responding to pings?
iptables rules not reloading on CentOS 6.x
blocking port 80 via iptables
iptables blocking from internet side on eth1?
IPtables string match for some URLs
What does an empty iptables mean?
Problems with multicasts in "iptables"
MySQL / Firewall / Can't connect to MySQL server
iptables not installed on centos
SNMP closed state in CentOS