[opensuse-security] close outgoing ports
HI! I want to close on my fresh SuSE 10.2 all new outgoing connections. I want only to allow SMTP and SSH to machine and none of the things to go out (updates, new ssh connections, etc...) How this can be done? Yast? sysconfig/... Thanks. Majkl ____________________ http://www.email.si/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 9.12.2006 16:36, Majkl wrote:
HI!
I want to close on my fresh SuSE 10.2 all new outgoing connections. I want only to allow SMTP and SSH to machine and none of the things to go out (updates, new ssh connections, etc...)
How this can be done? Yast? sysconfig/...
Thanks.
Hi, An iptables rule should be specified manually, because the gui for SuSE Firewall does not allow you to block outgoing traffic. Here is how you can do this: (quoting one Benjamin Weber's previous post): "If you want to load custom iptables rules into SuSEfirewall2 uncomment the #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" line in /etc/sysconfig/SuSEfirewall2 and then put your iptables rules into the appropriate hook in /etc/sysconfig/scripts/SuSEfirewall2-custom." Now the rules you need should look like this: iptables -t filter -I OUTPUT -j DROP iptables -t filter -I OUTPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -I OUTPUT -p tcp --dport 22 -d <destination host ip> -j ACCEPT Note that these rules will cut off DNS requests, so when you try to connect to SMTP or SSH, you'll have to specify the server by ip. To allow DNS, add the following rules to the top: iptables -t filter -I OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -I OUTPUT -p udp --dport 53 -j ACCEPT Have in mind that the order in which you add the rules is significant. (See the -A and -I options of iptables in the manual page.) For more information on firewall's rules see the manual page of iptables. There was a nice discussion on this list called "Detecting Brute-Force and Dictionary attacks". There you can find some more tricks that you can do with iptables. -- Blade hails you... Ruling with the scythe of death you tear out philosophies apart An ancient starwalk to merge into the stars --Nightwish
On 9.12.2006 17:28, Boyan Tabakov wrote:
On 9.12.2006 16:36, Majkl wrote:
HI!
I want to close on my fresh SuSE 10.2 all new outgoing connections. I want only to allow SMTP and SSH to machine and none of the things to go out (updates, new ssh connections, etc...)
How this can be done? Yast? sysconfig/...
Thanks.
Hi, An iptables rule should be specified manually, because the gui for SuSE Firewall does not allow you to block outgoing traffic.
Here is how you can do this: (quoting one Benjamin Weber's previous post):
"If you want to load custom iptables rules into SuSEfirewall2 uncomment the
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
line in /etc/sysconfig/SuSEfirewall2 and then put your iptables rules into the appropriate hook in /etc/sysconfig/scripts/SuSEfirewall2-custom."
Now the rules you need should look like this:
iptables -t filter -I OUTPUT -j DROP iptables -t filter -I OUTPUT -p tcp --dport 25 -j ACCEPT iptables -t filter -I OUTPUT -p tcp --dport 22 -d <destination host ip> -j ACCEPT
Note that these rules will cut off DNS requests, so when you try to connect to SMTP or SSH, you'll have to specify the server by ip. To allow DNS, add the following rules to the top:
iptables -t filter -I OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -I OUTPUT -p udp --dport 53 -j ACCEPT
Have in mind that the order in which you add the rules is significant. (See the -A and -I options of iptables in the manual page.)
For more information on firewall's rules see the manual page of iptables.
There was a nice discussion on this list called "Detecting Brute-Force and Dictionary attacks". There you can find some more tricks that you can do with iptables.
Forgot one thing... with the above rules you cut out your loopback interface too. Add the following rule to correct this: iptables -t filter -I OUTPUT -o lo -j ACCEP -- Blade hails you... A mother's love Is a sacrifice --Nightwish
participants (2)
-
Boyan Tabakov -
Majkl