Help - Search - Members - Calendar
Full Version: Iptables: Block Outgoing Connections
Linuxhelp > Support > Technical Support
quci
I have a little question. I thought to know how to block an outgoing connection with iptables...
iptables -I OUTPUT -o eth0 -p tcp --dport 6667:7000 -j REJECT
but it does not work in my script. I'm further able to connect to a server on these ports, why? What did I wrong? Thank you for your help!

My script goes as follows...

======================================================
#!/bin/bash

# copyright © 2003 by Markus Misteli
echo "======================================"
echo " Port ForWarD and block Script"
echo " copyright © 2003 by Markus Misteli "
echo "======================================"

IPTABLES="/usr/sbin/iptables"

EXTIF="eth0"
INTIF="eth1"

BUNZ="172.19.20.20"
QUCI="172.19.0.5"

# Benötigte Module laden
#/sbin/depmod -a # wartet immer auf Eingabe kA wieso
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc # nicht installiert

echo "1" > /proc/sys/net/ipv4/ip_forward

# Alle Anfragen zunächst ablehnen bis die
# richtige Konfiguration gesetzt ist
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# Alles zurücksetzen
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

# Ports von Ausserhalb blckieren
$IPTABLES -I INPUT -i $EXTIF -p tcp --dport 135 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p tcp --dport 139 -j DROP
$IPTABLES -I INPUT -i $EXTIF -p tcp --dport 445 -j DROP

# Ports von innerhalb blockieren
$IPTABLES -I OUTPUT -o $EXTIF -p tcp --dport 6667:7000 -j REJECT

# Portforwardings definieren
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp
--dport 4662 -j DNAT --to $BUNZ
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp
--dport 4672 -j DNAT --to $BUNZ

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp
--dport 8000 -j DNAT --to $QUCI:80
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp
--dport 8080 -j DNAT --to $QUCI
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp
--dport 3662 -j DNAT --to $QUCI
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp
--dport 3672 -j DNAT --to $QUCI
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp
--dport 1026:64000 -j DNAT --to $QUCI

# Policies auf ACCEPT stellen
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# NAT einschalten
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

======================================================

c ya, quci
hughesjr
I think that the rule:

$IPTABLES -I OUTPUT -o $EXTIF -p tcp --dport 6667:7000 -j REJECT

Should work! Is it possible that the traffic is UDP instead of TCP?

Try this line as well...

$IPTABLES -I OUTPUT -o $EXTIF -p udp --dport 6667:7000 -j REJECT
------------------------------
Also, since you are also doing NAT / MASQURADING, this line:

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1026:64000 -j DNAT --to $QUCI

(or NAT in general) may allow bypassing of the above rules ... maybe make them:

$IPTABLES -I INPUT -o $INTIF -p tcp --dport 6667:7000 -j REJECT
$IPTABLES -I INPUT -o $INTIF -p udp --dport 6667:7000 -j REJECT

And see if it blocks the traffic ...
quci
First of all thank you for your reply!

> I think that the rule:
>
> $IPTABLES -I OUTPUT -o $EXTIF -p tcp --dport 6667:7000 -j REJECT
>
> Should work! Is it possible that the traffic is UDP instead of TCP?
>
> Try this line as well...
>
> $IPTABLES -I OUTPUT -o $EXTIF -p udp --dport 6667:7000 -j REJECT

Nope it's definitly TCP. But I also tried UDP without success. :-(

> Also, since you are also doing NAT / MASQURADING, this line:
>
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 1026:64000 -j DNAT --to $QUCI
>
> (or NAT in general) may allow bypassing of the above rules ... maybe make them:
>
> $IPTABLES -I INPUT -o $INTIF -p tcp --dport 6667:7000 -j REJECT
> $IPTABLES -I INPUT -o $INTIF -p udp --dport 6667:7000 -j REJECT
>
> And see if it blocks the traffic ...

That's what I thought too, that NAT will bypass these block rules. But your commands use the -o switch in a INPUT rule, so they won't work! And my PREROUTING rule's just to do DNAT so all incomming traffic is redirected to the IP stored in $QUCI. So this should not affect rules for blocking outgoing traffic, i think.

c ya, quci
hughesjr
sorry ... I meant:

$IPTABLES -I INPUT -i $INTIF -p tcp --dport 6667:7000 -j REJECT
$IPTABLES -I INPUT -i $INTIF -p udp --dport 6667:7000 -j REJECT
quci
QUOTE (hughesjr @ Sep 14 2003, 09:31 PM)
sorry ... I meant:

$IPTABLES -I INPUT -i $INTIF -p tcp --dport 6667:7000 -j REJECT
$IPTABLES -I INPUT -i $INTIF -p udp --dport 6667:7000 -j REJECT

I tried these to... also without success. I really don't know what's wrong. Did you find out something, if NAT, especially the MASQUERADING, affects rules which should block traffic comming from the internal network?

I'm almost on to do a hardware solution... just disconnect the internet connection: no connection, no problems ;)

btw sorry for my poor english, but I'm from switzerland.

thank you and c ya, quci
hughesjr
I think that the masqurading is the problem ... because it makes it's adjustments on PREROUTING ...

How about trying something it like this at the top of your port forwards:

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 6667:7000 -j REJECT

...or if REJECT (or DROP) doesn't work with -t nat, try this:

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 6667:7000 -j DNAT --to 127.0.0.1
quci
yeah, PREROUTING really seems to be the problem. I'm gonna try this as soon as possible (tomorrow) and post here if it's working. thank you for your help!!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.