Firewall OUTPUT filters
Contents
Output view
Output filters output:
Basic outputs
You can find the basics OUTPUT rules over here: Firewall core (main) protocols
Mandatory output
This is the VERY MINIMUM you need to run a computer:
IPTABLES=`which iptables`
echo -e " "
echo -e "------------------------"
echo -e " OUTGOING port filters"
echo -e "------------------------"
##############
# Main ports
##############
echo -e " ... Mandatory ports "
echo -e " SSH, Telnet, HTTP(S), HTTP alt (8080), NTP, RPC"
# Remote Control
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT # SSH (default port)
$IPTABLES -A OUTPUT -p tcp --dport 6000:6063 -j ACCEPT # SSH X11 forwarding
$IPTABLES -A OUTPUT -p tcp --dport 23 -j ACCEPT # Telnet
# Web
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT # HTTP
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT # HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT # TomCat (Java Web Server)
# Core Linux services
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT # Time NTP UDP
$IPTABLES -A OUTPUT -p tcp --dport 135 -j ACCEPT # Remote Procedure Call
##############
# Remote control
##############
echo -e " ... Remote control"
$IPTABLES -A OUTPUT -p tcp --dport 3389 -j ACCEPT # Windows Remote Desktop (terminal Server)
$IPTABLES -A OUTPUT -p tcp --dport 5900 -j ACCEPT # VNC and Apple Remote Desktop
$IPTABLES -A OUTPUT -p tcp --dport 4000 -j ACCEPT # NoMachine LAN access
$IPTABLES -A OUTPUT -p tcp --dport 4080 -j ACCEPT # NoMachine HTTP access
$IPTABLES -A OUTPUT -p tcp --dport 4443 -j ACCEPT # NoMachine HTTPS access
$IPTABLES -A OUTPUT -p udp --dport 4011:4999 -j ACCEPT # NoMachine UDP transmission
##############
# Communication
##############
echo -e " ... Communication"
# Email
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT # SMTP
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT # POP3
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT # IMAP
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT # IMAP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT # POP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 587 -j ACCEPT # SMTP SSL (gmail)
$IPTABLES -A OUTPUT -p tcp --dport 465 -j ACCEPT # SMTP SSL (gmail)
##############
# I.T
##############
echo -e " ... I.T ports"
echo -e " LDAP, Printing, WhoIs, UPnP, Webmin ..."
# Domain
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT # Kerberos
$IPTABLES -A OUTPUT -p tcp --dport 389 -j ACCEPT # LDAP
$IPTABLES -A OUTPUT -p tcp --dport 636 -j ACCEPT # LDAP over SSL
# Network Services
$IPTABLES -A OUTPUT -p tcp --dport 43 -j ACCEPT # WhoIs
$IPTABLES -A OUTPUT -p tcp --dport 427 -j ACCEPT # Service Location Protocol
$IPTABLES -A OUTPUT -p udp --dport 1900 -j ACCEPT # UPnP - Peripheriques reseau
##############
# File share
##############
echo -e " ... File share"
$IPTABLES -A OUTPUT -p udp --dport 137 -j ACCEPT # NetBios Name Service
$IPTABLES -A OUTPUT -p udp --dport 138 -j ACCEPT # NetBios Data Exchange
$IPTABLES -A OUTPUT -p tcp --dport 139 -j ACCEPT # NetBios Session + Samba
$IPTABLES -A OUTPUT -p tcp --dport 445 -j ACCEPT # CIFS - Partage Win2K and more
Allow all reserved ports
All the ports between 0:1024 belongs to well-known network protocol and usage. So, instead of acting as paranoid, you can open the ports between 0:1024.
You can consult the full list over here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
IPTABLES=`which iptables`
echo -e " ... Allow all standards ports between 0:1024"
$IPTABLES -A OUTPUT -p tcp --dport 0:1024 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 0:1024 -j ACCEPT
Other common outputs
You can increase the previous list, at least for:
- Network printing, Apple integration, ...
- Communications tools: Skype, Google hangout, ...
- Videos and streaming: YouTube, NetFlix, ...
IPTABLES=`which iptables`
####### Printing
$IPTABLES -A OUTPUT -p tcp --dport 515 -j ACCEPT # LDP / Print
$IPTABLES -A OUTPUT -p tcp --dport 631 -j ACCEPT # IPP (printing protocol)
###### Apple specifics
$IPTABLES -A OUTPUT -p tcp --dport 3283 -j ACCEPT # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p udp --dport 3283 -j ACCEPT # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p tcp --dport 548 -j ACCEPT # Apple File Sharing Protocol
####### Streaming
$IPTABLES -A OUTPUT -p tcp --dport 554 -j ACCEPT # RTSP Streaming audio / video
$IPTABLES -A OUTPUT -p tcp --dport 1234 -j ACCEPT # InfoSeek (VLC)
$IPTABLES -A OUTPUT -p udp --dport 1234 -j ACCEPT # VLC RTSP
$IPTABLES -A OUTPUT -p tcp --dport 4070 -j ACCEPT # Spotify - Audio Streaming
$IPTABLES -A OUTPUT -p udp --dport 4070 -j ACCEPT # Spotify - Audio Streaming
###### Communication
$IPTABLES -A OUTPUT -p tcp --dport 119 -j ACCEPT # NewsGroup
$IPTABLES -A OUTPUT -p tcp --dport 1863 -j ACCEPT # MSN
$IPTABLES -A OUTPUT -p tcp --dport 5060 -j ACCEPT # SIP -VoIP-
$IPTABLES -A OUTPUT -p udp --dport 5060 -j ACCEPT # SIP -VoIP-
$IPTABLES -A OUTPUT -p tcp --dport 5061 -j ACCEPT # MS Lync
$IPTABLES -A OUTPUT -p tcp --dport 5222 -j ACCEPT # Google talk
IT ports
If you ever install Cherokee instead of Apache2 or Webmin as administration tool, then you'll need:
IPTABLES=`which iptables`
$IPTABLES -A OUTPUT -p tcp --dport 9090 -j ACCEPT # Cherokee admin pages (alt. web server administration)
$IPTABLES -A OUTPUT -p tcp --dport 10000 -j ACCEPT # Webmin - Services and configuration
$IPTABLES -A OUTPUT -p tcp --dport 20000 -j ACCEPT # Webmin - Users management
$IPTABLES -A OUTPUT -p tcp --dport 10050 -j ACCEPT # Zabbix agent
$IPTABLES -A OUTPUT -p tcp --dport 10051 -j ACCEPT # Zabbix server
# ELK (ElasticSearch, Logstash, Kibana)
$IPTABLES -A OUTPUT -p tcp --dport 9200 -j ACCEPT # HTTP
$IPTABLES -A OUTPUT -p tcp --dport 9300 -j ACCEPT # Transport
$IPTABLES -A OUTPUT -p tcp --dport 54328 -j ACCEPT # Multicasting
$IPTABLES -A OUTPUT -p udp --dport 54328 -j ACCEPT # Multicasting
Dashboard
Dashing is a dashboard solution. It's very nice and handy to monitor your IT | applications. It's running on TCP 3030.
IPTABLES=`which iptables`
$IPTABLES -A OUTPUT -p tcp --dport 3030 -j ACCEPT
Development ports
The following ports are required if you to some development.
IPTABLES=`which iptables`
####### Standard dev.
# SVN server
$IPTABLES -A OUTPUT -p tcp --dport 3690 -j ACCEPT
# SONAR (dev quality)
$IPTABLES -A OUTPUT -p tcp --dport 9000 -j ACCEPT
# GIT server
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT
####### JAVA
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT # HTTP alt.
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT # HTTPS alt.
####### JAVASCRIPT
$IPTABLES -A OUTPUT -p tcp --dport 3000 -j ACCEPT # NodeJS TSC lite-server
$IPTABLES -A OUTPUT -p tcp --dport 3001 -j ACCEPT # NodeJS Browser sync
# JBoss wildfly
$IPTABLES -A OUTPUT -p tcp --dport 9990 -j ACCEPT # Wildfly administration
# Glassfish
$IPTABLES -A OUTPUT -p tcp --dport 4848 -j ACCEPT # Glassfish administration
$IPTABLES -A OUTPUT -p tcp --dport 1527 -j ACCEPT # Glassfish security manager
$IPTABLES -A OUTPUT -p tcp --dport 1099 -j ACCEPT # JMX default JVM RMI port
####### Databases
# MySQL
$IPTABLES -A OUTPUT -p tcp --dport 3306 -j ACCEPT
# Postgresql
$IPTABLES -A OUTPUT -p tcp --dport 5432 -j ACCEPT
# Microsoft MsSQL (2008 and later)
$IPTABLES -A OUTPUT -p tcp --dport 1433 -j ACCEPT
# Microsoft MsSQL (2005 specifics)
$IPTABLES -A OUTPUT -p udp --dport 1434 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1434 -j ACCEPT
####### Messaging
# Open MQ (bundled with Glassfish)
$IPTABLES -A OUTPUT -p tcp --dport 7676 -j ACCEPT
# Active MQ
$IPTABLES -A OUTPUT -p tcp --dport 8161 -j ACCEPT # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 8162 -j ACCEPT # HTTPS console
$IPTABLES -A OUTPUT -p tcp --dport 61616 -j ACCEPT # JMS queues
# Rabbit MQ
$IPTABLES -A OUTPUT -p tcp --dport 15672 -j ACCEPT # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 5672 -j ACCEPT # AMPQ protocol
Gaming
Diablo 3
Official documentation: https://us.battle.net/support/en/article/firewall-proxy-router-and-port-configuration
- TCP & UDP 80, 443, 1119
- TCP & UDP 1119-1120, 3724, 4000, 6112-6114
- TCP & UDP 6115-6120
IPTABLES=`which iptables`
################################
# Blizzard Diablo 3
################################
# Battle.net Desktop Application
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1119 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1119 -j ACCEPT
# Blizzard Downloader
$IPTABLES -A OUTPUT -p tcp --dport 1119 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1120 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 3724 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4000 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 6112:6114 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1119 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1120 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 3724 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4000 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 6112:6114 -j ACCEPT
# Diablo 3
$IPTABLES -A OUTPUT -p udp --dport 6115:6120 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 6115:6120 -j ACCEPT
Note: You might need to stop your firewall (= allow all OUTPUT) for the installation and updates. That's because Blizzard is using some random port. :_(