Firewall OUTPUT filters

Revision as of 19:41, 25 October 2014 by WikiFreak (talk | contribs) (Development ports)


Output view

Output filters output:

Output filters


Basic outputs

You can find the basics OUTPUT rules over here: Firewall core (main) protocols


Mandatory output

This is the VERY MINIMUM you need to run a computer:


IPTABLES=`which iptables`

echo -e " "		
echo -e "------------------------"
echo -e " OUTGOING port filters"
echo -e "------------------------"
	
##############
# Main ports
##############
	
echo -e " ... Mandatory ports "
echo -e "       SSH, Telnet, HTTP(S), HTTP alt (8080), NTP, RPC"

# Remote Control
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT     # SSH (default port)
$IPTABLES -A OUTPUT -p tcp --dport 23 -j ACCEPT     # Telnet
# Web
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT     # HTTP
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT    # HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT   # TomCat (Java Web Server)
# Core Linux services
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT    # Time NTP UDP
$IPTABLES -A OUTPUT -p tcp --dport 135 -j ACCEPT    # Remote Procedure Call

	
##############
# Remote control
##############
	
echo -e " ... Remote control"
$IPTABLES -A OUTPUT -p tcp --dport 3389 -j ACCEPT   # Windows Remote Desktop (terminal Server)
$IPTABLES -A OUTPUT -p tcp --dport 5900 -j ACCEPT   # VNC and Apple Remote Desktop


##############
# Communication
##############
	
echo -e " ... Communication"
	
# Email
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT     # SMTP
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT    # POP3
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT    # IMAP
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT    # IMAP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT    # POP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 587 -j ACCEPT    # SMTP SSL (gmail)
$IPTABLES -A OUTPUT -p tcp --dport 465 -j ACCEPT    # SMTP SSL (gmail)
	
##############
# I.T
##############
	
echo -e " ... I.T ports"
echo -e "        LDAP, Printing, WhoIs, UPnP, Webmin ..."	
# Domain
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT    # Kerberos
$IPTABLES -A OUTPUT -p tcp --dport 389 -j ACCEPT    # LDAP 
$IPTABLES -A OUTPUT -p tcp --dport 636 -j ACCEPT    # LDAP over SSL 

# Network Services
$IPTABLES -A OUTPUT -p tcp --dport 43 -j ACCEPT     # WhoIs
$IPTABLES -A OUTPUT -p tcp --dport 427 -j ACCEPT    # Service Location Protocol
$IPTABLES -A OUTPUT -p udp --dport 1900 -j ACCEPT   # UPnP - Peripheriques reseau

##############
# File share
##############

echo -e " ... File share"
$IPTABLES -A OUTPUT -p udp --dport 137 -j ACCEPT    # NetBios Name Service
$IPTABLES -A OUTPUT -p udp --dport 138 -j ACCEPT    # NetBios Data Exchange
$IPTABLES -A OUTPUT -p tcp --dport 139 -j ACCEPT    # NetBios Session + Samba
$IPTABLES -A OUTPUT -p tcp --dport 445 -j ACCEPT    # CIFS - Partage Win2K and more


Allow all reserved ports

All the ports between 0:1024 belongs to well-known network protocol and usage. So, instead of acting as paranoid, you can open the ports between 0:1024.


You can consult the full list over here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers


IPTABLES=`which iptables`

echo -e " ... Allow all standards ports between 0:1024"
$IPTABLES -A OUTPUT -p tcp --dport 0:1024 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 0:1024 -j ACCEPT


Other common outputs

You can increase the previous list, at least for:

  • Network printing, Apple integration, ...
  • Communications tools: Skype, Google hangout, ...
  • Videos and streaming: YouTube, NetFlix, ...


IPTABLES=`which iptables`

####### Printing
$IPTABLES -A OUTPUT -p tcp --dport 515 -j ACCEPT    # LDP / Print
$IPTABLES -A OUTPUT -p tcp --dport 631 -j ACCEPT    # IPP (printing protocol)

###### Apple specifics
$IPTABLES -A OUTPUT -p tcp --dport 3283 -j ACCEPT   # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p udp --dport 3283 -j ACCEPT   # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p tcp --dport 548 -j ACCEPT    # Apple File Sharing Protocol

####### Streaming
$IPTABLES -A OUTPUT -p tcp --dport 554 -j ACCEPT    # RTSP Streaming audio / video
$IPTABLES -A OUTPUT -p tcp --dport 1234 -j ACCEPT   # InfoSeek (VLC)
$IPTABLES -A OUTPUT -p udp --dport 1234 -j ACCEPT   # VLC RTSP
$IPTABLES -A OUTPUT -p tcp --dport 4070 -j ACCEPT   # Spotify - Audio Streaming
$IPTABLES -A OUTPUT -p udp --dport 4070 -j ACCEPT   # Spotify - Audio Streaming
 
###### Communication
$IPTABLES -A OUTPUT -p tcp --dport 119 -j ACCEPT    # NewsGroup
$IPTABLES -A OUTPUT -p tcp --dport 1863 -j ACCEPT   # MSN
$IPTABLES -A OUTPUT -p tcp --dport 5060 -j ACCEPT   # SIP -VoIP-
$IPTABLES -A OUTPUT -p udp --dport 5060 -j ACCEPT   # SIP -VoIP-
$IPTABLES -A OUTPUT -p tcp --dport 5061 -j ACCEPT   # MS Lync
$IPTABLES -A OUTPUT -p tcp --dport 5222 -j ACCEPT   # Google talk


IT ports

If you ever install Cherokee instead of Apache2 or Webmin as administration tool, then you'll need:


IPTABLES=`which iptables`

$IPTABLES -A OUTPUT -p tcp --dport 9090 -j ACCEPT   # Cherokee admin pages (alt. web server administration)

$IPTABLES -A OUTPUT -p tcp --dport 10000 -j ACCEPT  # Webmin - Services and configuration
$IPTABLES -A OUTPUT -p tcp --dport 20000 -j ACCEPT  # Webmin - Users management


Development ports

The following ports are required if you to some development.


IPTABLES=`which iptables`


####### Standard dev. 
# SVN server
$IPTABLES -A OUTPUT -p tcp --dport 3690 -j ACCEPT
# SONAR (dev quality)
$IPTABLES -A OUTPUT -p tcp --dport 9000 -j ACCEPT
# GIT server
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT


####### JAVA
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT                # HTTP alt.
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT                # HTTPS alt.
# JBoss wildfly 
$IPTABLES -A OUTPUT -p tcp --dport 9090 -j ACCEPT                # Wildfly administration
# Glassfish
$IPTABLES -A OUTPUT -p tcp --dport 4848 -j ACCEPT                # Glassfish administration
$IPTABLES -A OUTPUT -p tcp --dport 1527 -j ACCEPT                # Glassfish security manager
$IPTABLES -A OUTPUT -p tcp --dport 1099 -j ACCEPT                # JMX default JVM RMI port


####### Databases 
# MySQL
$IPTABLES -A OUTPUT -p tcp --dport 3306 -j ACCEPT
# Microsoft MsSQL (2008 and later)
$IPTABLES -A OUTPUT -p tcp --dport 1433 -j ACCEPT
# Microsoft MsSQL (2005 specifics)
$IPTABLES -A OUTPUT -p udp --dport 1434 -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp --dport 1434 -j ACCEPT



####### Messaging 
# Open MQ (bundled with Glassfish)
$IPTABLES -A OUTPUT -p tcp --dport 7676 -j ACCEPT
# Active MQ
$IPTABLES -A OUTPUT -p tcp --dport 8161 -j ACCEPT                # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 8162 -j ACCEPT                # HTTPS console
$IPTABLES -A OUTPUT -p tcp --dport 61616 -j ACCEPT               # JMS queues
# Rabbit MQ
$IPTABLES -A OUTPUT -p tcp --dport 15672 -j ACCEPT               # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 5672 -j ACCEPT                # AMPQ protocol