LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables and OUTPUT policy (https://www.linuxquestions.org/questions/linux-security-4/iptables-and-output-policy-4175733959/)

Jason.nix 02-17-2024 05:53 AM
iptables and OUTPUT policy
 
Hello,
Are the following iptables rules wrong?
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s "IP" -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j DROP
-A INPUT -p tcp -m tcp --dport 30 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A OUTPUT -d "IP" -p tcp -m tcp --dport 40 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 40 -j DROP
Thank you.

jayjwa 02-17-2024 12:36 PM
Wrong for what? With a default accept output, you only are blocking tcp/40 outbound which I can't see a practical application for.

Jason.nix 02-18-2024 12:05 AM
Quote:
Originally Posted by jayjwa (Post 6484243)
Wrong for what? With a default accept output, you only are blocking tcp/40 outbound which I can't see a practical application for.
Hello,
Thank you so much for your reply.
Not really. I have only allowed exit to port 40 and other ports are blocked.

Jason.nix 02-19-2024 12:38 PM
Hello,
No idea?

Thanks.

astrogeek 02-19-2024 02:17 PM
Quote:
Originally Posted by Jason.nix (Post 6484315)
Hello,
Thank you so much for your reply.
Not really. I have only allowed exit to port 40 and other ports are blocked.
No, you are doing just the opposite:

Quote:
Originally Posted by Jason.nix (Post 6484179)
Hello,
Are the following iptables rules wrong?
Code:
...
-P OUTPUT ACCEPT
...
-A OUTPUT -d "IP" -p tcp -m tcp --dport 40 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 40 -j DROP
...Policy ACCEPT applies to everything else not handled above...
You are blocking tcp/40 except to "IP" (assuming that to be redacted) and accepting everything else.

Jason.nix 02-20-2024 12:31 AM
Quote:
Originally Posted by astrogeek (Post 6484694)
No, you are doing just the opposite:



You are blocking tcp/40 except to "IP" (assuming that to be redacted) and accepting everything else.
Hello,
Thank you so much for your reply.
1- How can I solve it? I want the server to be able to send data only to port number 40.

2- Is the following rule also wrong? I just want a specific IP address to be able to connect to port 20.
Code:
-A INPUT -s "IP" -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j DROP

jayjwa 02-20-2024 08:09 AM
If you want to block by default, you should set the default policy to block.
Code:
iptables -P OUTPUT DROP
iptables -A OUTPUT -d $IP -p tcp -m tcp --dport 40 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d $IP -p tcp -m tcp --dport 40 -j ACCEPT
You'll have to allow for DNS, if needed, and also mind ipv6 (if in use). Your second example does similar: it takes packets on the INPUT chain and then drops tcp/20 packets. If you want that type of rule, look into negation (! --dport 20). Unfortunately, I can't easily test these rules right now but I think you can see what I'm getting at.

Jason.nix 02-21-2024 01:26 AM
Quote:
Originally Posted by jayjwa (Post 6484814)
If you want to block by default, you should set the default policy to block.
Code:
iptables -P OUTPUT DROP
iptables -A OUTPUT -d $IP -p tcp -m tcp --dport 40 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d $IP -p tcp -m tcp --dport 40 -j ACCEPT
You'll have to allow for DNS, if needed, and also mind ipv6 (if in use). Your second example does similar: it takes packets on the INPUT chain and then drops tcp/20 packets. If you want that type of rule, look into negation (! --dport 20). Unfortunately, I can't easily test these rules right now but I think you can see what I'm getting at.
Hello,
Thank you so much for your reply.
Why you changed DROP to ACCEPT in the second rule?

jayjwa 02-21-2024 12:16 PM
Because the default policy is already DROP and everything is dropped by default. If you don't make any exception, nothing is allowed and you wanted tcp/40.

Quote:
-P, --policy chain target
Set the policy for the built‐in (non‐user‐defined) chain to the
given target. The policy target must be either ACCEPT or DROP.


All times are GMT -5. The time now is 09:53 PM.