Aug 11, 2011
tom

Starting point for iptables whitelist specific to the outbound chain

Question

I’m a ubuntu/iptables noob and am running my first Linode to serve a rails app. While things are starting to come together and I’m feeling pretty good about my INPUT chain, the OUTPUT chain…eh…not so much. :)

Obviously my rules should reflect my personal needs and there will always be variation from person to person, but for a basic ubuntu server, what should I generally be conscious of? Are there any best practices for outbound chains? Right now outbound is set to ACCEPT basically everything, but i’d rather deny and whitelist things as necessary.

Given that and excluding the rules which could be figured out based on one’s input chain, anyone have suggestions as to what outbound rules one should generally allow on a ubuntu box? (e.g.,for package updates, time syncing, etc.). I don’t want to miss something and unknowingly prevent a background task from running properly.

Thanks

Edit: Thanks for the helpful replies, everyone! My account is brand new and I unfortunately don’t have the minimum reputation to vote things up at this time, but I appreciate you all helping me very much. I’ve gone ahead and accepted an answer.

Answer

Since you’re probably not going to be using this server to do anything other than obtaining data from your configured repos in /etc/apt/sources.listyou should probably just allow those by FQDN and port.

I would use conntrack and stateful inspection rather than specifying an input since it’s more secure. A specially crafted packet with it’s source port set to 80 will get through the rules that Jonathan Ross mentioned.

#set policy on chains to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP#allows already established/related connections
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp -j ACCEPT#allow incoming to www
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT#allow outgoing to my sources.list repo
iptables -A OUTPUT -o eth0 -d mirrors.kernel.org -p tcp --dport 80 -j ACCEPT#add upd/123 for NTP
iptables -A OUTPUT -o eth0 -d tock.usask.ca -p udp --dport 123 -j ACCEPT

Related posts:

  1. Problem with sendmail combined with iptables
  2. Unable to make outbound SNMP connections when IPTables is enabled
  3. Iptables ESTABLISHED,RELATED chain problems
  4. Why do these 3 rules cause problems for me in iptables? (COMMIT line error)
  5. Iptables Hangs when listing rules

Leave a comment