I'm trying to make the least permissive outgoing TCP HTTP/HTTPS connection in iptables. So far I have:
iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
I am assuming new is needed for client-intiated ssl handshakes, if my goal was to make outgoing web traffic as restrictive as possible, is there anything else in the rule you folks would recommend?
Thank you very much
Best Answer
Your
iptables
rule is sufficient, provided you also have:REJECT is better than DROP in the OUTPUT chain to speed up failures.
However I'm not sure what are you trying to prevent / protect from? It's very easy to run any service on port 80 or 443. For example botnets, or even VPN or SSH servers will happily run on these ports and if someone takes over your server you won't stop him from connecting to their services by restricting outgoing traffic only to ports 80 and 443.
You may be better served with a HTTP proxy with a whitelist of permitted URLs or at least a whitelist of IPs in your
iptables -A OUTPUT
chain (can be conveniently done throughipset
).Restricting only the output ports will probably not do what you want.