Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Allow ssh incoming/outgoing and blocking all outgoing besides specific ports

Tags:

linux

bash

networking

iptables

I am trying to create iptable rules that will allow incoming and outgoing ssh connections, and then allow outbound connections to specific ports, then finally drop anything that doesnt match.

These are the rules I have come up with, the SSH rules work, but when I tunnel into the box I cant seem to access http (port 80) even though i've allowed it. Can anyone spot the mistake?

#!/bin/bash
#clear iptables
iptables -F
iptables -X

#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#accept everything no matter port on localhost
iptables -A INPUT -i lo -j ACCEPT

#allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow input on port 22, (established connections auto accepted)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#allow traffic going to specific outbound ports
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT
#...

#drop anything that doesnt match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

Thanks for your time.

like image 318
randy newfield Avatar asked Nov 04 '13 20:11

randy newfield

People also ask

How do I block outgoing SSH?

@BitsOfNix "outgoing SSH connection from server" means block the whole connection! To block specific users. You can edit ssh_d config and add any user name you want to block under DenyUsers. Just do sudo vi /etc/ssh/sshd_config , then under DenyUsers add the user name you want to block.

How do I specify a port using SSH?

Specifying SSH port number on the command lineThe -p <port> option can be used to specify the port number to connect to when using the ssh command on Linux. The -P <port> (note: capital P) option can be used with SFTP and scp .

Should you block port 22?

Aspera recommends disabling TCP/22 to prevent security breaches of your SSH server. Once your client users have been notified of the port change (from TCP/22 to TCP/33001), you can disable Port 22 in your sshd_config file. To disable TCP/22 and use only TCP/33001, comment-out Port 22 in your sshd_config file.

1 Answers

You might want to add the DNS ports, otherwise you may not be able to resolve any hostnames.

Allowing OUTPUT for TCP and UDP Port 53 should help.

like image 135
MeyerRJ Avatar answered Sep 30 '22 04:09

MeyerRJ
Sign in to Comment

Related questions

In an Azure Linux VM, what persists? what disk is charged for?
Linux kernel header.S source, why _end+3 needed when zeroing BSS?
Errors when installing jdk 1.7 in linux [closed]
How to determine the type of file system on an SD Card
realloc without freeing old memory
Make a game with Cocos2dx on Linux
How can we specify physical address for variable?
Simulating key press using bash
Linux sed command does not change the target file
ALSA: Ways to prevent underrun for speaker
crosstool-ng, directory structure, and sysroot
Dual socket vs single socket memory model?
Android Systrace tool internally uses strace or ftrace?
can GCC print out intermediate results?
How to determine if file is in use by another process (Java)
How to join multiple PDF pages to a single Page
show vim command keys on live demo
In bash, what does dot command ampersand do?
Building gvim 7.4 on CentOS 6.4
Chatroom in C / Socket programming in Linux

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!