Mailinglist Archive: opensuse-security (49 mails)

< Previous Next >
Re: [opensuse-security] close outgoing ports
  • From: Boyan Tabakov <blade.alslayer@xxxxxxxxx>
  • Date: Sat, 9 Dec 2006 17:38:40 +0200
  • Message-id: <200612091738.45650.blade.alslayer@xxxxxxxxx>
On 9.12.2006 17:28, Boyan Tabakov wrote:
> On 9.12.2006 16:36, Majkl wrote:
> > HI!
> >
> > I want to close on my fresh SuSE 10.2 all new outgoing connections.
> > I want only to allow SMTP and SSH to machine and none of the things to go
> > out (updates, new ssh connections, etc...)
> >
> > How this can be done? Yast? sysconfig/...
> >
> > Thanks.
>
> Hi,
> An iptables rule should be specified manually, because the gui for SuSE
> Firewall does not allow you to block outgoing traffic.
>
> Here is how you can do this: (quoting one Benjamin Weber's previous post):
>
> "If you want to load custom iptables rules into SuSEfirewall2 uncomment the
>
> #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
>
> line in /etc/sysconfig/SuSEfirewall2 and then put your iptables rules into
> the appropriate hook in /etc/sysconfig/scripts/SuSEfirewall2-custom."
>
> Now the rules you need should look like this:
>
> iptables -t filter -I OUTPUT -j DROP
> iptables -t filter -I OUTPUT -p tcp --dport 25 -j ACCEPT
> iptables -t filter -I OUTPUT -p tcp --dport 22 -d <destination host ip> -j
> ACCEPT
>
> Note that these rules will cut off DNS requests, so when you try to connect
> to SMTP or SSH, you'll have to specify the server by ip. To allow DNS, add
> the following rules to the top:
>
> iptables -t filter -I OUTPUT -p tcp --dport 53 -j ACCEPT
> iptables -t filter -I OUTPUT -p udp --dport 53 -j ACCEPT
>
> Have in mind that the order in which you add the rules is significant. (See
> the -A and -I options of iptables in the manual page.)
>
> For more information on firewall's rules see the manual page of iptables.
>
> There was a nice discussion on this list called "Detecting Brute-Force and
> Dictionary attacks". There you can find some more tricks that you can do
> with iptables.

Forgot one thing... with the above rules you cut out your loopback interface
too. Add the following rule to correct this:

iptables -t filter -I OUTPUT -o lo -j ACCEP

--
Blade hails you...

A mother's love
Is a sacrifice
--Nightwish
< Previous Next >
List Navigation
References