Networking / Beginners

Writing Egress Rules

You prefer having an OUTPUT ACCEPT policy, and you want to add some egress filtering rules to block traffic destined for known bad ports from leaving your network. You also want to add some basic precautions, such as not allowing NetBIOS traffic or private addresses to escape your network.

Here are some example egress filter rules that go with an OUTPUT ACCEPT policy. You could add these to any of the firewall scripts in this tutorial.

First, create variables containing your desired port numbers. EVILPORTS are port numbers known to be used by various malware. GOODPORTS are for preventing certain types of LAN traffic from escaping:

EVILPORTS="587,666,777,778,1111,1218"
GOODPORTS="23,137,138,139,177"

iptables doesn't seem to like lists longer than 15 port numbers.
Now, you can use these in rules like these examples:

$ipt -A OUTPUT -i $LAN_IFACE -p --dport $EVILPORTS -j DROP
$ipt -A OUTPUT -i $LAN_IFACE -p --dport $GOODPORTS -j DROP

Or, you can specify source addresses instead of the interface name:

$ipt -A OUTPUT -s 192.168.2.0/24 -p all --dport $EVILPORTS -j DROP

The Discussion goes into more detail on what ports to block.
You can block specific addresses, or entire networks:

$ipt -A OUTPUT -i $LAN_IFACE -p -d 11.22.33.44 -j DROP
$ipt -A OUTPUT -i $LAN_IFACE -p -d 22.33.44.55/30 -j DROP

RFC 1918 addresses, and broadcast and multicast addresses should not leak out of your network:

$ipt -A OUTPUT -s 10.0.0.0/8 -j DROP
$ipt -A OUTPUT -s 172.16.0.0/12 -j DROP
$ipt -A OUTPUT -s 192.168.0.0/16 -j DROP
$ipt -A OUTPUT -s 224.0.0.0/4 -j DROP
$ipt -A OUTPUT -s 240.0.0.0/5 -j DROP
$ipt -A OUTPUT -s 127.0.0.0/8 -j DROP
$ipt -A OUTPUT -s 0.0.0.0/8 -j DROP
$ipt -A OUTPUT -d 255.255.255.255 -j DROP
$ipt -A OUTPUT -s 169.254.0.0/16 -j DROP
$ipt -A OUTPUT -d 224.0.0.0/4 -j DROP

Nor should traffic without the correct source address, which is your WAN address:

$ipt -A OUTPUT -o $WAN_INTERFACE -s !33.44.55.66 -j DROP

Blocking potentially dangerous outgoing ports is what good netizens do. If you have infected hosts on your network, you should do your best to prevent them from joining the World Wide Botnet and spreading further contagion.

Deciding which destination ports to block is a moving target. You'll need to figure these out yourself, so check your favorite security sites periodically. A Web search for "dangerous TCP/IP ports" is a good way to start.

Check /etc/services to decide which local services you want to keep fenced in. Here are explanations for the partial list used for GOODPORTS:

23
telnet client. telnet is completely insecure because it transmits entirely in cleartext.

137-139
Windows NetBIOS and Samba broadcasts go out on these ports.

177
The X Display Manager Control Protocol (XDMCP) is completely insecure. For remote X sessions, tunnel X over SSH.

While iptables is useful for basic protections like these, it is a blunt tool for filtering outgoing traffic. A lot of malware uses ports that are registered for legitimate services, so blocking those ports means no access to those services. iptables can't perform any content inspection, and doesn't have access control lists. If you want a lot of control over the traffic leaving your network and what your users can do, consider using a proxy server like Squid.

[Previous] [Contents]