Firewall OUTPUT filters

Revision as of 10:57, 8 August 2014 by WikiFreak (talk | contribs)



OUTPUT filters

Output filters


Basic outputs

You can find the basics OUTPUT rules over here: Firewall basics#Allow_services_and_network_protocols


Mandatory output

This is the VERY MINIMUM you need to run a computer: 


IPTABLES=`which iptables`

echo -e " "		
echo -e "------------------------"
echo -e " OUTGOING port filters"
echo -e "------------------------"
	
##############
# Main ports
##############
	
echo -e " ... Mandatory ports "
echo -e "       SSH, Telnet, HTTP(S), HTTP alt (8080), NTP, RPC"

# Remote Control
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT     # SSH (default port)
$IPTABLES -A OUTPUT -p tcp --dport 23 -j ACCEPT     # Telnet
# Web
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT     # HTTP
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT    # HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT   # TomCat (Java Web Server)
# Core Linux services
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT    # Time NTP UDP
$IPTABLES -A OUTPUT -p tcp --dport 135 -j ACCEPT    # Remote Procedure Call

	
##############
# Remote control
##############
	
echo -e " ... Remote control"
$IPTABLES -A OUTPUT -p tcp --dport 3389 -j ACCEPT   # Windows Remote Desktop (terminal Server)
$IPTABLES -A OUTPUT -p tcp --dport 5900 -j ACCEPT   # VNC and Apple Remote Desktop


##############
# Communication
##############
	
echo -e " ... Communication"
	
# Email
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT     # SMTP
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT    # POP3
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT    # IMAP
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT    # IMAP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT    # POP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 587 -j ACCEPT    # SMTP SSL (gmail)
$IPTABLES -A OUTPUT -p tcp --dport 465 -j ACCEPT    # SMTP SSL (gmail)
	
##############
# I.T
##############
	
echo -e " ... I.T ports"
echo -e "        LDAP, Printing, WhoIs, UPnP, Webmin ..."	
# Domain
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT    # Kerberos
$IPTABLES -A OUTPUT -p tcp --dport 389 -j ACCEPT    # LDAP 
$IPTABLES -A OUTPUT -p tcp --dport 636 -j ACCEPT    # LDAP over SSL 

# Network Services
$IPTABLES -A OUTPUT -p tcp --dport 43 -j ACCEPT     # WhoIs
$IPTABLES -A OUTPUT -p tcp --dport 427 -j ACCEPT    # Service Location Protocol
$IPTABLES -A OUTPUT -p udp --dport 1900 -j ACCEPT   # UPnP - Peripheriques reseau

##############
# File share
##############

echo -e " ... File share"
$IPTABLES -A OUTPUT -p udp --dport 137 -j ACCEPT    # NetBios Name Service
$IPTABLES -A OUTPUT -p udp --dport 138 -j ACCEPT    # NetBios Data Exchange
$IPTABLES -A OUTPUT -p tcp --dport 139 -j ACCEPT    # NetBios Session + Samba
$IPTABLES -A OUTPUT -p tcp --dport 445 -j ACCEPT    # CIFS - Partage Win2K and more


Allow all reserved ports

All the ports between 0:1024 belongs to well-known network protocol and usage. So, instead of acting as paranoid, you can open the ports between 0:1024.


You can consult the full list over here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 


IPTABLES=`which iptables`

echo -e " ... Allow all standards ports between 0:1024"
$IPTABLES -A OUTPUT -p tcp --dport 0:1024 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 0:1024 -j ACCEPT


Other common outputs

You can increase the previous list, at least for:

  • Network printing, Apple integration, ...
  • Communications tools: Skype, Google hangout, ...
  • Videos and streaming: YouTube, NetFlix, ...


IPTABLES=`which iptables`

####### Printing
$IPTABLES -A OUTPUT -p tcp --dport 515 -j ACCEPT    # LDP / Print
$IPTABLES -A OUTPUT -p tcp --dport 631 -j ACCEPT    # IPP (printing protocol)

###### Apple specifics
$IPTABLES -A OUTPUT -p tcp --dport 3283 -j ACCEPT   # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p udp --dport 3283 -j ACCEPT   # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p tcp --dport 548 -j ACCEPT    # Apple File Sharing Protocol

####### Streaming
$IPTABLES -A OUTPUT -p tcp --dport 554 -j ACCEPT    # RTSP Streaming audio / video
$IPTABLES -A OUTPUT -p tcp --dport 1234 -j ACCEPT   # InfoSeek (VLC)
$IPTABLES -A OUTPUT -p udp --dport 1234 -j ACCEPT   # VLC RTSP
$IPTABLES -A OUTPUT -p tcp --dport 4070 -j ACCEPT   # Spotify - Audio Streaming
$IPTABLES -A OUTPUT -p udp --dport 4070 -j ACCEPT   # Spotify - Audio Streaming
 
###### Communication
$IPTABLES -A OUTPUT -p tcp --dport 119 -j ACCEPT    # NewsGroup
$IPTABLES -A OUTPUT -p tcp --dport 1863 -j ACCEPT   # MSN
$IPTABLES -A OUTPUT -p tcp --dport 5060 -j ACCEPT   # SIP -VoIP-
$IPTABLES -A OUTPUT -p udp --dport 5060 -j ACCEPT   # SIP -VoIP-
$IPTABLES -A OUTPUT -p tcp --dport 5061 -j ACCEPT   # MS Lync
$IPTABLES -A OUTPUT -p tcp --dport 5222 -j ACCEPT   # Google talk


IT ports

If you ever install Cherokee instead of Apache2 or Webmin as administration tool, then you'll need: 


IPTABLES=`which iptables`

$IPTABLES -A OUTPUT -p tcp --dport 9090 -j ACCEPT   # Cherokee admin pages (alt. web server administration)

$IPTABLES -A OUTPUT -p tcp --dport 10000 -j ACCEPT  # Webmin - Services and configuration
$IPTABLES -A OUTPUT -p tcp --dport 20000 -j ACCEPT  # Webmin - Users management


Development ports

The following ports are required if you to some development. 


IPTABLES=`which iptables`


####### Standard dev. 
# SVN server
$IPTABLES -A OUTPUT -p tcp --dport 3690 -j ACCEPT
# SONAR (dev quality)
$IPTABLES -A OUTPUT -p tcp --dport 9000 -j ACCEPT
# GIT server
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT


####### JAVA
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT                # Tomcat / Application server container
$IPTABLES -A OUTPUT -p tcp --dport 4848 -j ACCEPT                # Glassfish administration
$IPTABLES -A OUTPUT -p tcp --dport 1527 -j ACCEPT                # Glassfish security manager
$IPTABLES -A OUTPUT -p tcp --dport 1099 -j ACCEPT                # JMX default JVM RMI port


####### Databases 
# MySQL
$IPTABLES -A OUTPUT -p tcp --dport 3306 -j ACCEPT
# Microsoft MsSQL (2008 and later)
$IPTABLES -A OUTPUT -p tcp --dport 1433 -j ACCEPT
# Microsoft MsSQL (2005 specifics)
$IPTABLES -A OUTPUT -p udp --dport 1434 -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp --dport 1434 -j ACCEPT



####### Messaging 
# Open MQ (bundled with Glassfish)
$IPTABLES -A OUTPUT -p tcp --dport 7676 -j ACCEPT
# Active MQ
$IPTABLES -A OUTPUT -p tcp --dport 8161 -j ACCEPT                # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 8162 -j ACCEPT                # HTTPS console
$IPTABLES -A OUTPUT -p tcp --dport 61616 -j ACCEPT               # JMS queues
# Rabbit MQ
$IPTABLES -A OUTPUT -p tcp --dport 15672 -j ACCEPT               # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 5672 -j ACCEPT                # AMPQ protocol



INPUT filters: servers

Input filters


SSH

# SSH - max 3 connection request per minute
$IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT


DHCP

This is how you enable a DHCP server with TFTP (netBoot) : 

IPTABLES=`which iptables`

# Allow LAN communication
# ... Required for NFS and the NetBoot ...
$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
 
########################
# INPUT filters
########################
 
##### DHCP client ######
# Broadcast IP request 
$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
# Send / reply to IPs requests
$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
 
###### DHCP server ######
# Received client's requests [udp + tcp]
$IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT

# NetBoot - TFTP server
$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
 
 
########################
# OUTPUT filters
########################
# DHCP [udp + tcp]
$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
 
# TFTP NetBoot 
$IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPT


Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!


LDAP

$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAPS


NFS

It's really tricky to adjust the firewall for NFS as the port is dynamic. But option is to allow LAN traffic and use NFS over LAN only.




Advanced feature

Port forwarding

Principle

The aim is to reach a server located behind the actual server we are working on.


Basic proxy

FW port forwarding - without NAT

In this case the target port number is the same as the source port.

This is a RISK because we exposed to Internet the schema of our Network.


Advanced proxy

FW port forwarding - with NAT


Here, the source and target port numbers are different. That's better but you need to maintain a 'IN / OUT ports matching table' as IT admin.



How to

To do a port forwarding you have to:

  • Allow some source IP / hosts to use forwarding
  • Create some forward target
  • Open the incoming port [input + output]
  • Register the target server and allow POST-ROUTING operations on it
  • Route the incoming port to the target server + port number


Proxy how-to


Requirements:

  • Enable port forwading
  • The current server must be able to reach the target {server,port}


IpTables script

You have to declare the following only ONCE in all your FW script:


Enable module 

#### Requirement: enable port forwarding in general
echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding


### Allow forward from IP@... 
$IPTABLES -A FORWARD -s 91.121.17.114 -j ACCEPT		# work
$IPTABLES -A FORWARD -s 5.39.81.23 -j ACCEPT	        # family VPN
$IPTABLES -A FORWARD -s 192.168.18.0 -j ACCEPT	        # home


### Open incoming ports [=from ports]...
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
 

### Declare forward targets [=to]...
$IPTABLES -A POSTROUTING -d 192.168.18.2 -t nat -j MASQUERADE            # Email server
$IPTABLES -A POSTROUTING -d 192.168.18.5 -t nat -j MASQUERADE            # JEE server



### Redirect FROM (IP:port) TO (server:port)
$IPTABLES -A PREROUTING -t nat -p tcp --dport 25 -j DNAT --to 192.168.18.2:25
$IPTABLES -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 192.168.18.5:8080



Port forwarding VS proxy

Usually it's better to proxy than forward.

So if you can use the Apache2 proxy to redirect "http://mysite/myApp" to your sub-server Apache2 "/myApp" - DO IT !


My advice:

Only use port forwarding when there are no other choice.



Source address filtering

You can restricted the access of a particular service to a limited set of source networks, IP @.


Example: 

# Only allow company's offices to access our Tomcat
$IPTABLES -A INPUT -p tcp --dport 8088 -s 192.168.1.0/24 -j ACCEPT           # Sweden LAN
$IPTABLES -A INPUT -p tcp --dport 8088 -s 90.83.80.64/27 -j ACCEPT           # FR remote
$IPTABLES -A INPUT -p tcp --dport 8088 -s 90.83.80.123/27 -j ACCEPT          # FR remote
$IPTABLES -A INPUT -p tcp --dport 8088 -s 77.68.140.115/24 -j ACCEPT         # DK remote
$IPTABLES -A INPUT -p tcp --dport 8088 -s 0.0.0.0/0 -j DROP             # DROP all the rest !


Don't forget to drop all the rest at the end  !!


Advanced version: for loop 

ALLOWED_REMOTE_IPS=(
195.101.122.64/27            # French office
193.12.118.194               # Sweden codriver.vehco.com
193.12.118.196               # Sweden code.vehco.com
91.121.17.114                # French RTD preprod [VPN]
)

# enable access to services (HTTP)
for ipList in ${ALLOWED_REMOTE_IPS[@]}
do
$IPTABLES -A INPUT -p tcp --dport 80 -s $ipList -j ACCEPT
done
# disable for everyone else
$IPTABLES -A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 80 -j DROP


Block an IP address or network

To block a specific IP address: 

$IPTABLES -A INPUT  -s 192.168.6.66/32 -j DROP


To block a network 


$IPTABLES -A INPUT  -s 10.66.6.0/24 -j DROP



Scripts

To use the firewall you need to:

  • Have a firewall start script
  • Have a firewall stop script
  • Have a firewall launcher script
  • Register the firewall to the boot sequence


Firewall start script

My firewall start script: http://www.daxiongmao.eu/wiki_upload_files/firewall/firewall-start.sh


NetBoot client Firewall start script

My NetBoot firewall start script (LAN only): http://www.daxiongmao.eu/wiki_upload_files/firewall/firewall-nfs-client.sh


Firewall stop script

My firewall stop script: http://www.daxiongmao.eu/wiki_upload_files/firewall/firewall-stop.sh


Firewall launcher script

My firewall stop script: http://www.daxiongmao.eu/wiki_upload_files/firewall/firewall.sh


Installation

  • Download and adjust all the previous scripts.
  • Put all the scripts in /etc/firewall/ and set the execution rights
mkdir /etc/firewall
cp firewall* /etc/firewall/
chmod -R 755 /etc/firewall
  • Create some symlink for the firewall
ln -s /etc/firewall/firewall.sh /usr/bin/firewall
ln -s /etc/firewall/firewall.sh /etc/init.d/firewall
  • Register firewall script to boot sequence
cd /etc/init.d
update-rc.d firewall defaults


Reboot and check that the firewall is up with: 

firewall status



Note

All this knowledge is the result of years of experiments and trials. Don't hesitate to search over Internet for more advanced || simpler rules.



References

  • My education at Telecom Bretagne [1] && Chalmers [2]
  • Working years and some co-workers help:
    • Julien Rialland
Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Firewall_OUTPUT_filters&oldid=896"