Join Log in
Score:0
Divyank avatar Server

Iptables: VM getting locked out when Blocking all OUTBOUND Ports

bh flag
Divyank

I am trying to block all ip's other few ip's given in OUTPUT Chain.

When I install Iptables OUTPUT chain was empty & input chain added STATED, ESTABLISHED ip's along with REJECT all ip's other than given INPUT chain rules. It works, I only needed to add ssh, and other ports to allow traffic from input chain. REJECT rule got added in INPUT when I installed iptables.

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:<....>
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
3    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
4   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

For OUTPUT chain, it was empty.I added below rule which will accept ssh connection for outbound traffic and some other ports and saved the rule, it works.

sudo iptables -I OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
sudo iptables -I OUTPUT -p tcp -m tcp --dport <...> -j ACCEPT
sudo iptables -I OUTPUT -p tcp -m tcp --dport <..> -j ACCEPT
sudo service iptables save

NOTE: Do not run below rule, it may lock you out in VM. While I am adding rule to block all ports in OUTPUT >> sudo iptables -A OUTPUT -j REJECT ,VM is getting locked immidiately and lost access to VM.

After restarting VM from cloud console, I was able to regain access as aboveiptable rule was not saved.

I tried >> sudo iptables -A OUTPUT -j Drop, after some time, but it locked VM again and need to restart it to gain access to VM.

Let me know how to block all OUTBOUND ports like INPUT Chain,without getting locked out. Current Iptables config as below.

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:<....>
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
3    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
4   REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:<>
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:<>
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:<>
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
78
1 + 0
Score:2
diya avatar Server
la flag
diya

What you're doing is exactly what is needed to block outgoing traffic and you indeed achieve blocking egress traffic by adding rules to the OUTPUT chain.

What you failed to take into account is that any incoming connection (that is allowed) also needs to send traffic back and therefore also always generates associated egress traffic. In other words, allowed connections are a two-way street, an incoming connection (controlled by your INPUT rules) and responses your server sends back (controlled by your OUTPUT rules).

Untested example

A minimal stateful firewall configuration that allows only the loopback interface and SSH as ingress traffic and rejects all other traffic would look like:

iptables -I 1 INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I 2 INPUT -i lo -j ACCEPT
iptables -I 3 INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
...
   other allowances here
...
# as the last rule, reject everything that isn't explicitly allowed
iptables -A INPUT -j REJECT

A minimal stateful firewall configuration that for egress filtering should similarly allow traffic over allowed connections, DNS lookups and responses (port 53 TCP and UDP) to/from your name servers,

iptables -I 1 OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I 2 OUTPUT -o lo -j ACCEPT
iptables -I 3 OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables -I 3 OUTPUT -p udp -m udp --dport 53 -j ACCEPT
...
   other allowances here
...
# as the last rule, reject everything that isn't explicitly allowed
iptables -A OUTPUT -j REJECT
+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.