Iptables – Most restrictive iptables outgoing HTTP/HTTPS traffic rule

firewalliptables

I'm trying to make the least permissive outgoing TCP HTTP/HTTPS connection in iptables. So far I have:

iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

I am assuming new is needed for client-intiated ssl handshakes, if my goal was to make outgoing web traffic as restrictive as possible, is there anything else in the rule you folks would recommend?

Thank you very much

Best Answer

Your iptables rule is sufficient, provided you also have:

# Permit replies to existing (e.g. inbound) connections
iptables -A OUTPUT -j RELATED,ESTABLISHED -j ACCEPT

# Reject all other output traffic
iptables -A OUTPUT -j REJECT

REJECT is better than DROP in the OUTPUT chain to speed up failures.

However I'm not sure what are you trying to prevent / protect from? It's very easy to run any service on port 80 or 443. For example botnets, or even VPN or SSH servers will happily run on these ports and if someone takes over your server you won't stop him from connecting to their services by restricting outgoing traffic only to ports 80 and 443.

You may be better served with a HTTP proxy with a whitelist of permitted URLs or at least a whitelist of IPs in your iptables -A OUTPUT chain (can be conveniently done through ipset).

Restricting only the output ports will probably not do what you want.

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Iptables rule to block incoming/outgoing traffic to a Xen container

This rule worked ion my installation:

iptables -I FORWARD 1 -d [client-ip] -p tcp -m tcp --dport 53 -j DROP
iptables -I FORWARD 1 -d [client-ip] -p udp -m udp --dport 53 -j DROP

Notice that netfilter reads rules top-to-bottom and if you have a rule permitting all traffic to this client above (iptables -A adds rule to the end of the table), this new rule won't be reached and won't have effect.

I didn't understand why you use "state" module if you a listing all valid states? It just uses CPU time and has no effect IMHO.

Next, I'm not sure, what is the goal of blocking traffic, going from port 25. If you client sends ab e-mail, he connects to remote server's port 25 but uses one of local ports (32k..64k by default) on his side. Couldn't you explain, what do you want to get as a result?

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Iptables rule to block incoming/outgoing traffic to a Xen container

Related Topic