0

I'm trying to block only outbound connections to specific IP addresses, however I want to allow inbound connections from the same IP addresses.

From what I understand about blocking outbound connections, they shouldn't block if an inbound connection has been made successfully.

I basically set up rules like this:

--append OUTPUT --jump DROP --destination x.x.x.x

And to allow established connections:

--append INPUT --in-interface eth0 --match state --state RELATED,ESTABLISHED --jump ACCEPT

I want connections to be allowed when this IP address attempts to connect to the server, but when my server tries to make an outbound connection, it shouldn't be able to make it.

I would like to block complete access for the server to make outbound connections to x.x.x.x. However when a user from that IP wishes to access the server they should be able to visit sites on certain ports.

Improve this question
7
  • 1
    You also need to check ESTABLISHED, otherwise how is TCP going to complete handshakes? :-) Commented Mar 12, 2020 at 18:09
  • I have --append INPUT --in-interface eth0 --match state --state RELATED,ESTABLISHED --jump ACCEPT do I need this outbound? Commented Mar 12, 2020 at 18:14
  • I would recommend nftables: it is the new iptables, ip6tables, arptables, ... Commented Mar 17, 2020 at 22:45
  • The question is not clear. I think what you want is simple, but it is hard to tell what you want. Edit the question to make it clear. Tell us what you are trying to achieve. Tell us what you have tried. Tell us what went wrong. Commented Mar 17, 2020 at 22:46
  • @ctrl-alt-delor I have to edited the post, but I would like to block complete access for the server to make outbound connections to x.x.x.x. However when a user from that IP wishes to access the server they should be able to visit sites on certain ports. When I have attempted this I just cannot connect. Commented Mar 18, 2020 at 0:12

2 Answers 2

Reset to default
1
+50

You are nearly there with your attempted firewall rules. Here's what you need to allow inbound traffic from host 10.10.10.10 while stopping outbound traffic to that address:

  1. Allow inbound (presumably to any port)
  2. Allow outbound replies to established inbound connections
  3. Block remaining outbound traffic

So,

iptables -A INPUT --src 10.10.10.10 --jump ACCEPT

iptables -A OUTPUT --match state --state RELATED,ESTABLISHED --jump ACCEPT
iptables -A OUTPUT --dst 10.10.10.10 --jump DROP

You don't really need the INPUT rule unless you have later rules reaching DENY/REJECT or your policy is set that way.

Improve this answer
3
  • With this block outbound traffic though? Or would the fact that related or established connections are allowed mean once a single user has connected from the source IP, all outbound connections will be allowed? Commented Mar 18, 2020 at 18:31
  • Thanks. Worked great. Commented Mar 19, 2020 at 1:39
  • So, output has states, too? Hah, good to know. Im gonna test it, too. :) Commented Mar 19, 2020 at 1:42
1

You are getting it wrong! Here is what i understand:

First of all, look at your input rule. It shall allow input by state, but what does state mean? It means, that traffic has gone out from your server to this address, before! So this rule will never match, if you block output (for this address) completely.

This is why your complete endeavor is not possible, state is only available in input.

There might be some hacky solution. But with the given options it is not possible.

PS

After your question i checked for an old topic again and guess what. After reading your post again, it stroke me, that this is EXACTLY what you want. Look at PortKnocking.

It adds a component to your request, which makes it even better; randomness.

Just configure a knocking scheme and not only allow output connections, but also input only if the correct knocking has happened, then.

Improve this answer
4
  • So my only option would be whitelisting certain input ports for output? Is that possible? I'm thinking allow request on INPUT to x.x.x.x:8080 go OUTPUT. ie: --append OUTPUT --jump ALLOW --destination x.x.x.x ... Commented Mar 17, 2020 at 23:54
  • I didn't check the syntax, but this is correct. Just as i told, your requirement can't be met. If there is some possibility to run a script on incoming packets, you could change the rules. But last time i've been working on firewall rules, this wasn't possible. Commented Mar 18, 2020 at 1:30
  • This is correct. Based on your example you intend to allow incoming connections from some IP. However, they can't be RELATD/ESTABLISHED as you've prohibited starting connections from this server. Therefore, your state should be set to 'NEW'. Commented Mar 18, 2020 at 16:37
  • But this wouldnt block anything, would it. There was a misunderstanding, how it works. Commented Mar 18, 2020 at 16:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.