Firewall OUTPUT filters


Output view

Output filters output:

Output filters


Basic outputs

You can find the basics OUTPUT rules over here: Firewall core (main) protocols


Mandatory output

This is the VERY MINIMUM you need to run a computer:


IPTABLES=`which iptables`

echo -e " "		
echo -e "------------------------"
echo -e " OUTGOING port filters"
echo -e "------------------------"
	
##############
# Main ports
##############
	
echo -e " ... Mandatory ports "
echo -e "       SSH, Telnet, HTTP(S), HTTP alt (8080), NTP, RPC"

# Remote Control
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT     # SSH (default port)
$IPTABLES -A OUTPUT -p tcp --dport 6000:6063 -j ACCEPT     # SSH X11 forwarding
$IPTABLES -A OUTPUT -p tcp --dport 23 -j ACCEPT     # Telnet
# Web
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT     # HTTP
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT    # HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT   # TomCat (Java Web Server)
# Core Linux services
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT    # Time NTP UDP
$IPTABLES -A OUTPUT -p tcp --dport 135 -j ACCEPT    # Remote Procedure Call

	
##############
# Remote control
##############
	
echo -e " ... Remote control"
$IPTABLES -A OUTPUT -p tcp --dport 3389 -j ACCEPT   # Windows Remote Desktop (terminal Server)
$IPTABLES -A OUTPUT -p tcp --dport 5900 -j ACCEPT   # VNC and Apple Remote Desktop

$IPTABLES -A OUTPUT -p tcp --dport 4000 -j ACCEPT          # NoMachine LAN access
$IPTABLES -A OUTPUT -p tcp --dport 4080 -j ACCEPT          # NoMachine HTTP access
$IPTABLES -A OUTPUT -p tcp --dport 4443 -j ACCEPT          # NoMachine HTTPS access
$IPTABLES -A OUTPUT -p udp --dport 4011:4999 -j ACCEPT     # NoMachine UDP transmission


##############
# Communication
##############
	
echo -e " ... Communication"
	
# Email
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT     # SMTP
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT    # POP3
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT    # IMAP
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT    # IMAP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT    # POP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 587 -j ACCEPT    # SMTP SSL (gmail)
$IPTABLES -A OUTPUT -p tcp --dport 465 -j ACCEPT    # SMTP SSL (gmail)
	
##############
# I.T
##############
	
echo -e " ... I.T ports"
echo -e "        LDAP, Printing, WhoIs, UPnP, Webmin ..."	
# Domain
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT    # Kerberos
$IPTABLES -A OUTPUT -p tcp --dport 389 -j ACCEPT    # LDAP 
$IPTABLES -A OUTPUT -p tcp --dport 636 -j ACCEPT    # LDAP over SSL 

# Network Services
$IPTABLES -A OUTPUT -p tcp --dport 43 -j ACCEPT     # WhoIs
$IPTABLES -A OUTPUT -p tcp --dport 427 -j ACCEPT    # Service Location Protocol
$IPTABLES -A OUTPUT -p udp --dport 1900 -j ACCEPT   # UPnP - Peripheriques reseau

##############
# File share
##############

echo -e " ... File share"
$IPTABLES -A OUTPUT -p udp --dport 137 -j ACCEPT    # NetBios Name Service
$IPTABLES -A OUTPUT -p udp --dport 138 -j ACCEPT    # NetBios Data Exchange
$IPTABLES -A OUTPUT -p tcp --dport 139 -j ACCEPT    # NetBios Session + Samba
$IPTABLES -A OUTPUT -p tcp --dport 445 -j ACCEPT    # CIFS - Partage Win2K and more

Allow all reserved ports

All the ports between 0:1024 belongs to well-known network protocol and usage. So, instead of acting as paranoid, you can open the ports between 0:1024.


You can consult the full list over here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers


IPTABLES=`which iptables`

echo -e " ... Allow all standards ports between 0:1024"
$IPTABLES -A OUTPUT -p tcp --dport 0:1024 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 0:1024 -j ACCEPT


Other common outputs

You can increase the previous list, at least for:

  • Network printing, Apple integration, ...
  • Communications tools: Skype, Google hangout, ...
  • Videos and streaming: YouTube, NetFlix, ...


IPTABLES=`which iptables`

####### Printing
$IPTABLES -A OUTPUT -p tcp --dport 515 -j ACCEPT    # LDP / Print
$IPTABLES -A OUTPUT -p tcp --dport 631 -j ACCEPT    # IPP (printing protocol)

###### Apple specifics
$IPTABLES -A OUTPUT -p tcp --dport 3283 -j ACCEPT   # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p udp --dport 3283 -j ACCEPT   # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p tcp --dport 548 -j ACCEPT    # Apple File Sharing Protocol

####### Streaming
$IPTABLES -A OUTPUT -p tcp --dport 554 -j ACCEPT    # RTSP Streaming audio / video
$IPTABLES -A OUTPUT -p tcp --dport 1234 -j ACCEPT   # InfoSeek (VLC)
$IPTABLES -A OUTPUT -p udp --dport 1234 -j ACCEPT   # VLC RTSP
$IPTABLES -A OUTPUT -p tcp --dport 4070 -j ACCEPT   # Spotify - Audio Streaming
$IPTABLES -A OUTPUT -p udp --dport 4070 -j ACCEPT   # Spotify - Audio Streaming
 
###### Communication
$IPTABLES -A OUTPUT -p tcp --dport 119 -j ACCEPT    # NewsGroup
$IPTABLES -A OUTPUT -p tcp --dport 1863 -j ACCEPT   # MSN
$IPTABLES -A OUTPUT -p tcp --dport 5060 -j ACCEPT   # SIP -VoIP-
$IPTABLES -A OUTPUT -p udp --dport 5060 -j ACCEPT   # SIP -VoIP-
$IPTABLES -A OUTPUT -p tcp --dport 5061 -j ACCEPT   # MS Lync
$IPTABLES -A OUTPUT -p tcp --dport 5222 -j ACCEPT   # Google talk


IT ports

If you ever install Cherokee instead of Apache2 or Webmin as administration tool, then you'll need:


IPTABLES=`which iptables`

$IPTABLES -A OUTPUT -p tcp --dport 9090 -j ACCEPT   # Cherokee admin pages (alt. web server administration)

$IPTABLES -A OUTPUT -p tcp --dport 10000 -j ACCEPT  # Webmin - Services and configuration
$IPTABLES -A OUTPUT -p tcp --dport 20000 -j ACCEPT  # Webmin - Users management

$IPTABLES -A OUTPUT -p tcp --dport 10050 -j ACCEPT  # Zabbix agent
$IPTABLES -A OUTPUT -p tcp --dport 10051 -j ACCEPT  # Zabbix server

# ELK (ElasticSearch, Logstash, Kibana)
$IPTABLES -A OUTPUT -p tcp --dport 9200 -j ACCEPT   # HTTP
$IPTABLES -A OUTPUT -p tcp --dport 9300 -j ACCEPT   # Transport
$IPTABLES -A OUTPUT -p tcp --dport 54328 -j ACCEPT  # Multicasting
$IPTABLES -A OUTPUT -p udp --dport 54328 -j ACCEPT  # Multicasting


Dashboard

Dashing is a dashboard solution. It's very nice and handy to monitor your IT | applications. It's running on TCP 3030.

IPTABLES=`which iptables`

$IPTABLES -A OUTPUT -p tcp --dport 3030 -j ACCEPT


Development ports

The following ports are required if you to some development.


IPTABLES=`which iptables`


####### Standard dev. 
# SVN server
$IPTABLES -A OUTPUT -p tcp --dport 3690 -j ACCEPT
# SONAR (dev quality)
$IPTABLES -A OUTPUT -p tcp --dport 9000 -j ACCEPT
# GIT server
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT


####### JAVA
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT                # HTTP alt.
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT                # HTTPS alt.
####### JAVASCRIPT
$IPTABLES -A OUTPUT -p tcp --dport 3000 -j ACCEPT                # NodeJS TSC lite-server
$IPTABLES -A OUTPUT -p tcp --dport 3001 -j ACCEPT                # NodeJS Browser sync
# JBoss wildfly 
$IPTABLES -A OUTPUT -p tcp --dport 9990 -j ACCEPT                # Wildfly administration
# Glassfish
$IPTABLES -A OUTPUT -p tcp --dport 4848 -j ACCEPT                # Glassfish administration
$IPTABLES -A OUTPUT -p tcp --dport 1527 -j ACCEPT                # Glassfish security manager
$IPTABLES -A OUTPUT -p tcp --dport 1099 -j ACCEPT                # JMX default JVM RMI port


####### Databases 
# MySQL
$IPTABLES -A OUTPUT -p tcp --dport 3306 -j ACCEPT
# Postgresql
$IPTABLES -A OUTPUT -p tcp --dport 5432 -j ACCEPT
# Microsoft MsSQL (2008 and later)
$IPTABLES -A OUTPUT -p tcp --dport 1433 -j ACCEPT
# Microsoft MsSQL (2005 specifics)
$IPTABLES -A OUTPUT -p udp --dport 1434 -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp --dport 1434 -j ACCEPT



####### Messaging 
# Open MQ (bundled with Glassfish)
$IPTABLES -A OUTPUT -p tcp --dport 7676 -j ACCEPT
# Active MQ
$IPTABLES -A OUTPUT -p tcp --dport 8161 -j ACCEPT                # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 8162 -j ACCEPT                # HTTPS console
$IPTABLES -A OUTPUT -p tcp --dport 61616 -j ACCEPT               # JMS queues
# Rabbit MQ
$IPTABLES -A OUTPUT -p tcp --dport 15672 -j ACCEPT               # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 5672 -j ACCEPT                # AMPQ protocol

Gaming

Diablo 3

Official documentation: https://us.battle.net/support/en/article/firewall-proxy-router-and-port-configuration


  • TCP & UDP 80, 443, 1119
  • TCP & UDP 1119-1120, 3724, 4000, 6112-6114
  • TCP & UDP 6115-6120


IPTABLES=`which iptables`

################################
# Blizzard Diablo 3
################################
# Battle.net Desktop Application
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1119 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1119 -j ACCEPT


# Blizzard Downloader
$IPTABLES -A OUTPUT -p tcp --dport 1119 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1120 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 3724 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4000 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 6112:6114 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 1119 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1120 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 3724 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4000 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 6112:6114 -j ACCEPT


# Diablo 3
$IPTABLES -A OUTPUT -p udp --dport 6115:6120 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 6115:6120 -j ACCEPT

Note: You might need to stop your firewall (= allow all OUTPUT) for the installation and updates. That's because Blizzard is using some random port. :_(