I’m a ubuntu/iptables noob and am running my first Linode to serve a rails app. While things are starting to come together and I’m feeling pretty good about my INPUT chain, the OUTPUT chain…eh…not so much.
Obviously my rules should reflect my personal needs and there will always be variation from person to person, but for a basic ubuntu server, what should I generally be conscious of? Are there any best practices for outbound chains? Right now outbound is set to ACCEPT basically everything, but i’d rather deny and whitelist things as necessary.
Given that and excluding the rules which could be figured out based on one’s input chain, anyone have suggestions as to what outbound rules one should generally allow on a ubuntu box? (e.g.,for package updates, time syncing, etc.). I don’t want to miss something and unknowingly prevent a background task from running properly.
Edit: Thanks for the helpful replies, everyone! My account is brand new and I unfortunately don’t have the minimum reputation to vote things up at this time, but I appreciate you all helping me very much. I’ve gone ahead and accepted an answer.
Since you’re probably not going to be using this server to do anything other than obtaining data from your configured repos in
/etc/apt/sources.listyou should probably just allow those by FQDN and port.
I would use conntrack and stateful inspection rather than specifying an input since it’s more secure. A specially crafted packet with it’s source port set to 80 will get through the rules that Jonathan Ross mentioned.
#set policy on chains to drop iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP#allows already established/related connections iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT#allow incoming to www iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT#allow outgoing to my sources.list repo iptables -A OUTPUT -o eth0 -d mirrors.kernel.org -p tcp --dport 80 -j ACCEPT#add upd/123 for NTP iptables -A OUTPUT -o eth0 -d tock.usask.ca -p udp --dport 123 -j ACCEPT