Writing Egress Rules
You prefer having an OUTPUT ACCEPT policy, and you want to add some egress filtering rules to block traffic destined for known bad ports from leaving your network. You also want to add some basic precautions, such as not allowing NetBIOS traffic or private addresses to escape your network.
Here are some example egress filter rules that go with an OUTPUT ACCEPT policy. You could add these to any of the firewall scripts in this tutorial.
First, create variables containing your desired port numbers. EVILPORTS are port numbers known to be used by various malware. GOODPORTS are for preventing certain types of LAN traffic from escaping:
iptables doesn't seem to like lists longer than 15 port numbers.
Now, you can use these in rules like these examples:
$ipt -A OUTPUT -i $LAN_IFACE -p --dport $EVILPORTS -j DROP $ipt -A OUTPUT -i $LAN_IFACE -p --dport $GOODPORTS -j DROP
Or, you can specify source addresses instead of the interface name:
$ipt -A OUTPUT -s 192.168.2.0/24 -p all --dport $EVILPORTS -j DROP
The Discussion goes into more detail on what ports to block.
You can block specific addresses, or entire networks:
$ipt -A OUTPUT -i $LAN_IFACE -p -d 126.96.36.199 -j DROP $ipt -A OUTPUT -i $LAN_IFACE -p -d 188.8.131.52/30 -j DROP
RFC 1918 addresses, and broadcast and multicast addresses should not leak out of your network:
$ipt -A OUTPUT -s 10.0.0.0/8 -j DROP $ipt -A OUTPUT -s 172.16.0.0/12 -j DROP $ipt -A OUTPUT -s 192.168.0.0/16 -j DROP $ipt -A OUTPUT -s 184.108.40.206/4 -j DROP $ipt -A OUTPUT -s 240.0.0.0/5 -j DROP $ipt -A OUTPUT -s 127.0.0.0/8 -j DROP $ipt -A OUTPUT -s 0.0.0.0/8 -j DROP $ipt -A OUTPUT -d 255.255.255.255 -j DROP $ipt -A OUTPUT -s 169.254.0.0/16 -j DROP $ipt -A OUTPUT -d 220.127.116.11/4 -j DROP
Nor should traffic without the correct source address, which is your WAN address:
$ipt -A OUTPUT -o $WAN_INTERFACE -s !18.104.22.168 -j DROP
Blocking potentially dangerous outgoing ports is what good netizens do. If you have infected hosts on your network, you should do your best to prevent them from joining the World Wide Botnet and spreading further contagion.
Deciding which destination ports to block is a moving target. You'll need to figure these out yourself, so check your favorite security sites periodically. A Web search for "dangerous TCP/IP ports" is a good way to start.
Check /etc/services to decide which local services you want to keep fenced in. Here are explanations for the partial list used for GOODPORTS:
telnet client. telnet is completely insecure because it transmits entirely in cleartext.
Windows NetBIOS and Samba broadcasts go out on these ports.
The X Display Manager Control Protocol (XDMCP) is completely insecure. For remote X sessions, tunnel X over SSH.
While iptables is useful for basic protections like these, it is a blunt tool for filtering outgoing traffic. A lot of malware uses ports that are registered for legitimate services, so blocking those ports means no access to those services. iptables can't perform any content inspection, and doesn't have access control lists. If you want a lot of control over the traffic leaving your network and what your users can do, consider using a proxy server like Squid.
In this tutorial:
- Building a Linux Firewall
- Iptables and NAT, SNAT, and DNAT
- Assembling a Linux Firewall Box
- Configuring Network Interface Cards on Debian
- Configuring Network Interface Cards on Fedora
- Identifying Which NIC Is Which
- Building an Internet-Connection Sharing Firewall on a Dynamic WAN IP Address
- Building an Internet-Connection Sharing Firewall on a Static WAN IP Address
- Displaying the Status of Your Firewall
- Turning an iptables Firewall Off
- Starting iptables at Boot, and Manually Bringing Your Firewall Up and Down
- Testing Your Firewall
- Configuring the Firewall for Remote SSH Administration
- Allowing Remote SSH Through a NAT Firewall
- Multiple SSH Host Keys Past NAT
- Running Public Services on Private IP Addresses
- Setting Up a Single-Host Firewall
- Setting Up a Server Firewall
- Configuring iptables Logging
- Writing Egress Rules