Iptables: Blocking outbound traffic except to certain IP addresses
25,229
Solution 1
iptables -I OUTPUT -d <remote_ip> -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -s <remote_ip> -p tcp --sport 22 -j ACCEPT
iptables -I OUTPUT -d <remote_ip> -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -s <remote_ip> -p tcp --sport 443 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
You will need to put in the first 4 rules for each of the IPs. Be warned, though, because you will have to log in via the console on this machine; all other access to it will be blocked.
Solution 2
Now I understand the context of your quesiton, try:
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 8.8.8.8 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s 8.8.8.8 --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.11.12.13/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.11.12.13/24 --dport 443 -j ACCEPT
And so on. That will set the default policy to DROP and then only allow IP addresses (or ranges) listed access. The second line allows related traffic (eg outbound packets for an ongoing SSH session), the third and fourth examples for your DNS lookups.
Don't forget you'll need an INPUT rule similar to line 2.
Related videos on Youtube
Author by
netflux
Updated on September 17, 2022Comments
-
netflux over 1 year
Using iptables, I need to block all outbound traffic on my server, except:
- SSH access to a small number of IP addresses
- HTTPS access to the same small list of IP addresses
Can anybody show me a suitable set of rules?
Thank you.
-
Cry Havok over 13 yearsDo you mean you want the server to access those remote IP addresses, or that those remote addresses should have access to the server?
-
netflux over 13 yearsTo clarify, this is a secure server holding sensitive data. I want users who log in via SSH to be unable to send data from this machine. I have already blocked inbound traffic using iptables. Thank you
-
fxmtor over 13 yearsAsker stated that he wanted to block all outbound traffic with a few exceptions; you block all inbound traffic with a few exceptions.
-
MadHatter over 13 yearsThose rules won't parse correctly, because you've specified -o (output interface) without actually naming an interface. Do you want to edit the rules, and I'll delete this comment? You may want to consider adding "-m state --state ESTABLISHED" on the INPUT+ACCEPT rules, but that's a point of taste.
-
Zoredache over 13 years@Kevin M, given that the rules suggested applied are stateless nothing that you are making outbound connections to are going to be able to reply except what he has allowed.
-
Cry Havok over 13 years@Kevin M, The question was vague enough it could be read either way, hence my request for clarification. The question as you pose it doesn't make much sense - how would you access this server except at the console?
-
netflux over 13 yearsI've added a comment above which I hope clarifies, let me know if you need more information.