I'm a ubuntu/iptables noob and am running my first Linode to serve a rails app. While things are starting to come together and I'm feeling pretty good about my INPUT chain, the OUTPUT chain…eh…not so much. 🙂
Obviously my rules should reflect my personal needs and there will always be variation from person to person, but for a basic ubuntu server, what should I generally be conscious of? Are there any best practices for outbound chains? Right now outbound is set to ACCEPT basically everything, but i'd rather deny and whitelist things as necessary.
Given that and excluding the rules which could be figured out based on one's input chain, anyone have suggestions as to what outbound rules one should generally allow on a ubuntu box? (e.g.,for package updates, time syncing, etc.). I don't want to miss something and unknowingly prevent a background task from running properly.
Thanks
Edit: Thanks for the helpful replies, everyone! My account is brand new and I unfortunately don't have the minimum reputation to vote things up at this time, but I appreciate you all helping me very much. I've gone ahead and accepted an answer.
Best Answer
Since you're probably not going to be using this server to do anything other than obtaining data from your configured repos in
/etc/apt/sources.list
you should probably just allow those by FQDN and port.I would use conntrack and stateful inspection rather than specifying an input since it's more secure. A specially crafted packet with it's source port set to 80 will get through the rules that Jonathan Ross mentioned.