iptables output examples, configuration for outgoing connections, Red Hat/CentOS or Ubuntu

As an extension of the post “Configuring iptables firewall RedHat/CentOS 6 from command line“,  this time we will see how to secure outbound connections to our server.

Limiting outgoing connections may seem a little paranoid, but in case of an attack your machine will be used to “jump” to others or send mails. I know this may still sound even more paranoid, but these things happen and are very real, I want to do a post later trying a real case.

Come to the point, we start from an initial situation:

Source   
[root@oradb ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

We will give access only to the basics of the system work, but we will simplify as much as possible. Summarizing much need:

  • Allow established or related connections.
  • Allow connections to the local interface.
  • Allow queries to DNS
  • Allow access to known machines, the protocol and port omitted for simplicity.
  • Write In the log other activity that will denagar.
  • Turning down the rest

The following code fragment performs listed above:

Source   
#Allow established or related connections.
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -m comment --comment "Allow existing outgoing connections " -j ACCEPT
#Allow connections to the local interface.
iptables -A OUTPUT -o lo -m comment --comment "Allow internal outbound connections " -j ACCEPT
#Allow queries to DNS
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -m comment --comment "Allow outgoing port 53 " -j ACCEPT
#Allow access to known machines, omit the protocol and port to simplify our server to another.
iptables -A OUTPUT -p all -d s1.domain.com -m state --state NEW -m comment --comment "Allow outgoing s1 " -j ACCEPT
#Allow access to known machines, the protocol and port omitted for simplicity, in this case served SMTP google.
iptables -A OUTPUT -p all -d smtp.gmail.com -m state --state NEW -m comment --comment "Allow outgoing gmail " -j ACCEPT
#Write to the log other activity that we will refuse.
iptables -A OUTPUT -m comment --comment "LOG Outgoing reject everything else " -j LOG --log-prefix "Outgoing connection reject "
#Reject everything else
iptables -A OUTPUT -m comment --comment "Outgoing reject everything else " -j REJECT

For more details about the calls you can take a look at post “Configuring iptables firewall RedHat/CentOS 6 from command line“.

Once executed the above we can obtain the status of iptables with:

Source   
[root@oradb ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED /* Allow existing outgoing connections  */
ACCEPT     all  --  anywhere             anywhere            /* Allow internal outbound connections  */
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain state NEW /* Allow outgoing port 53  */
ACCEPT     all  --  anywhere             s1.domain.com state NEW /* Allow outgoing s1  */
ACCEPT     all  --  anywhere             wi-in-f108.1e100.net state NEW /* Allow outgoing gmail  */
ACCEPT     all  --  anywhere             wi-in-f109.1e100.net state NEW /* Allow outgoing gmail  */
LOG        all  --  anywhere             anywhere            /* LOG Outgoing reject everything else  */ LOG level warning prefix `Outgoing connection reject '
REJECT     all  --  anywhere             anywhere            /* Outgoing reject everything else  */ reject-with icmp-port-unreachable

The log of rejected connections can be seen in:
/var/log/messages

Really everything is applicable to Ubuntu for example, the only change in the destination log.

I leave the link to the documentation:

 

http://linux.die.net/man/8/iptables

Leave a Reply