Iptables: Allow connections on a port to only “safe” hosts

iptables

I have a centos machine and wish to only allow outbound connections to port 587 to certain remote machines, and drop packets trying to connect to all other hosts.

I only want to allow access on port 587 if they are going to access gmail's SMTP servers (all IPs behind smtp.gmail.com). Is there a way I can implement this?

Best Answer

You can use the -d switch to iptables rules which makes the rule work for just the address supplied and then block everything else e.g.

iptables -I OUTPUT -p tcp --dport 587 -j DROP
iptables -I OUTPUT -d smtp.gmail.com -p tcp -m tcp --dport 587 -j ACCEPT

should do what you want. This initially inserts a DROP all outgoing connections on port 587 rule into the beginning of the OUTPUT chain. It then inserts an allow rule for smtp.gmail.com port 587 into the beginning of the OUTPUT chain. This has the effect of allowing connections to smtp.gmail.com:587 and blocking everything else on port 587 e.g.

iptables -L OUTPUT -n
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            173.194.66.109      tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            173.194.66.108      tcp dpt:587
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:587

Note that smtp.gmail.com resolves to two ip addresses which is why there are two ACCEPT rules above. The name is only resolved once when the rule is added to the kernel so if the addresses are changed then connections to gmail will be blocked too and you would need to reload the rules.

Related Solutions

Iptables – Limit incoming connections using iptables per IP

I think that this is what you need to limit each source IP to a specified rate.

-m hashlimit --hashlimit-mode srcip --hashlimit-upto 5/min

Detailed examples are given in the URL's below.

http://www.mauromascia.com/blog/limiting-concurrent-connections-per-ip/?lang=it

http://etel.wiki.oreilly.com/wiki/index.php/SIP_DoS/DDoS_Mitigation

http://ipset.netfilter.org/iptables-extensions.man.html

Iptables – Allow only IPSEC outgoing traffic to a port (using IPTABLE?)

Thanks for the suggestions. It turned out to be related to how IPSEC VPN works on iOS (apple) devices.

On iOS devices, on turning the ipsec VPN ON, rule is added automatically in route table to send the IPSEC server/peer traffic directly to gateway to avoid looping (packet getting encrypted again) and rest of the traffic are sent to ipsec tunnel first to get encrypted and then onto ipsec server.

And in my case IPSEC server and the target server(where traffic is targeted) happens to be the same machine (resolves to same IP address), so when the traffic is sent to the target server (port XXXX), instead of its getting encrypted in IPSEC tunnel, it was sent directly to the server due to the special rule without getting encapsulated in ipsec packet. So when these packets arrived on server, it didn't get recognised as ipsec packets and that was the issue.

Since I couldn't avoid iOS client sending the traffic to port XXXX (though without ipsec encapsulation), I had to find a way to let only that device to have access to port XXXX and not to the whole world. So what I ended up doing was to have my own ipsec updown script on ipsec server that adds a INPUT chain rule dynamically to allow traffic from the established client's IP address to port XXXX on vpn connect and remove the rule on vpn disconnect. This way only the VPN connected clients will have access to port XXXX.

Best Answer

Related Solutions

Iptables – Limit incoming connections using iptables per IP

Iptables – Allow only IPSEC outgoing traffic to a port (using IPTABLE?)

Related Topic