Find the answer to your Linux question:
Results 1 to 7 of 7
Hi, I am new to linux iptables . I want to ask is it possible to configure iptables on linux so that we only block outgoing TCP and allow incoming ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2007
    Posts
    1

    IPTables to block outgoing TCP only and allow incoming TCP


    Hi,

    I am new to linux iptables . I want to ask is it possible to configure iptables on linux so that we only block outgoing TCP and allow incoming TCP? If yes, can any one provide the iptable entries for that. Please help.

    Any help is appreciated.

    Thanks,
    Deep

  2. #2
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429
    Yes you can do that thats not that hard.
    Code:
    iptables -A INPUT -p tcp -j ACCEPT
    iptables -A OUTPUT -p tcp -j DROP
    I dont know why you'd want this but ok..
    New Users, please read this..
    Google first, then ask..

  3. #3
    Just Joined! vigour's Avatar
    Join Date
    Oct 2007
    Posts
    68
    Those two lines will most probably block ALL tcp. The outgoing rule will actually block the whole session.

    I suggest blocking only the SYN flagged outgoing tcp packets:

    Code:
    iptables -A OUTPUT -p tcp --tcp-flags ALL SYN -j DROP
    Thus no tcp session will be allowed from the machine, but any incomming tcp traffic will be possible.

    Cheers,
    Ventsi

  4. #4
    Just Joined!
    Join Date
    Jan 2010
    Posts
    3

    Red face Allowing incoming traffic (general web browsing and downloading specifically)

    Hi all,
    I am trying to relax these rules a little more... but apparently in a rather unanticipated manner (?) so I got stuck...

    Basically, I "just" want to use your rules to make it impossible for a group of server users to move files from the server to the general internet but still I want to allow them to move content from the internet to that server.

    To be more specific, users should be able to read their e-mail, download some attachments (or livemesh content) and then use that content on the server. However, since the server also contains content not owned by the users, they should not be able to use any protocol for moving that content to their own machine...

    I am stunned that I cannot find a solution using the various google searches I have tried... So sorry if I am overlooking an obvious solution, I may be using the wrong terminology or so

    Thanks a lot in advance,
    Pieter

    PS: sorry for replying to an old post, I just try to remain on-topic on this google-high-scoring thread.

  5. #5
    Just Joined! vigour's Avatar
    Join Date
    Oct 2007
    Posts
    68
    Hi,

    You are writing about granting access to a content. Iptables does not handle content access.

    As I understand you want to limit the users for accessing particular sections on the content server, or to disable to copying of content on the local mashines.

    For the first one, you should use the access policies of the content server and for the seond, I doubt that you can have a usefull solution. Any file that is displayed on a local mashine can be redistributed... one way or the other

  6. #6
    Just Joined!
    Join Date
    Jan 2010
    Posts
    3
    Dear Vigour, thanks for your quick reply. I appreciate that a lot!

    Quote Originally Posted by vigour View Post
    You are writing about granting access to a content. Iptables does not handle content access.
    Sorry I probably was too cryptic. Here's the setup: users are working on the server using a terminal client (rdesktop to be specific). The server provides some cool software that they can *evaluate*. Currently, they do not have internet access at all and I am looking for a way to enable them to start a web browser and get some of their own data inputs on the remote server, while still not enabling them to do the inverse (= moving the evaluation software away from the remote server). Can't I configure the firewall such that the users on the server can have incoming HTTP traffic but no outgoing HTTP traffic?

    I tried that but as I reported the main issue I have is that when blocking outgoing traffic in the firewall settings, it becomes even impossible for those terminal users to request a webpage from the internet... I still hope that can be allowed by some small adjustment of some state flag on the TCP level... not?

    Quote Originally Posted by vigour View Post
    As I understand you want to limit the users for accessing particular sections on the content server, or to disable to copying of content on the local mashines.
    Users can access the complete remote server using their terminal session. This is not a security threat, since the remote server is in fact a virtual machine that is dedicated to the particular user.

    Quote Originally Posted by vigour View Post
    For the first one, you should use the access policies of the content server
    So no need to do that.

    Quote Originally Posted by vigour View Post
    and for the seond, I doubt that you can have a usefull solution. Any file that is displayed on a local mashine can be redistributed... one way or the other
    The content is only displayed with rdesktop... so as bitmaps... and I don't want to go as far as assuming that they are reverse engineering the software on the remote machine and then displaying the source on a screen by screen basis, taking screenshots on their local machines... That would indeed be "one way or another" to abuse the architecture I am having in mind but I am primarily trying to protect actual content transfers from the server to the local machines than just screenshots.

    Does this clarify my intention?

    Thanks again and best regards,
    Pieter

  7. #7
    Just Joined!
    Join Date
    Jan 2010
    Posts
    3

    Arrow

    The content is only displayed with rdesktop... so as bitmaps...
    I wanted to add that I was too quick in my typing the other day. The output of rdesktop is probably not just a bitmap but still I am able to disable copy/paste of text on the server (e.g., sourcecode) to the client machines. This can be realized by using a mechanism of the underlying RDP server (VirtualBox's "--clipboard disabled" to be specific).

    I didn't go into that too much before, since I wanted to stick to the firewall settings in this thread. Could someone please have a look again at my original question about blocking true outgoing traffic from server virtual machines to external machines (while still allowing incoming traffic and general web browsing in the remote server virtual machines)?

    Seems to be a touch one... Sorry for that, otherwise I wouldn't ask

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •