Latest revision as of 19:58, 12 October 2016

Output view

Output filters output:

Basic outputs

You can find the basics OUTPUT rules over here: Firewall core (main) protocols

Mandatory output

This is the VERY MINIMUM you need to run a computer:

IPTABLES=`which iptables`

echo -e " "		
echo -e "------------------------"
echo -e " OUTGOING port filters"
echo -e "------------------------"
	
##############
# Main ports
##############
	
echo -e " ... Mandatory ports "
echo -e "       SSH, Telnet, HTTP(S), HTTP alt (8080), NTP, RPC"

# Remote Control
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT     # SSH (default port)
$IPTABLES -A OUTPUT -p tcp --dport 6000:6063 -j ACCEPT     # SSH X11 forwarding
$IPTABLES -A OUTPUT -p tcp --dport 23 -j ACCEPT     # Telnet
# Web
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT     # HTTP
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT    # HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT   # TomCat (Java Web Server)
# Core Linux services
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT    # Time NTP UDP
$IPTABLES -A OUTPUT -p tcp --dport 135 -j ACCEPT    # Remote Procedure Call

	
##############
# Remote control
##############
	
echo -e " ... Remote control"
$IPTABLES -A OUTPUT -p tcp --dport 3389 -j ACCEPT   # Windows Remote Desktop (terminal Server)
$IPTABLES -A OUTPUT -p tcp --dport 5900 -j ACCEPT   # VNC and Apple Remote Desktop

$IPTABLES -A OUTPUT -p tcp --dport 4000 -j ACCEPT          # NoMachine LAN access
$IPTABLES -A OUTPUT -p tcp --dport 4080 -j ACCEPT          # NoMachine HTTP access
$IPTABLES -A OUTPUT -p tcp --dport 4443 -j ACCEPT          # NoMachine HTTPS access
$IPTABLES -A OUTPUT -p udp --dport 4011:4999 -j ACCEPT     # NoMachine UDP transmission


##############
# Communication
##############
	
echo -e " ... Communication"
	
# Email
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT     # SMTP
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT    # POP3
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT    # IMAP
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT    # IMAP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT    # POP over SSL
$IPTABLES -A OUTPUT -p tcp --dport 587 -j ACCEPT    # SMTP SSL (gmail)
$IPTABLES -A OUTPUT -p tcp --dport 465 -j ACCEPT    # SMTP SSL (gmail)
	
##############
# I.T
##############
	
echo -e " ... I.T ports"
echo -e "        LDAP, Printing, WhoIs, UPnP, Webmin ..."	
# Domain
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT    # Kerberos
$IPTABLES -A OUTPUT -p tcp --dport 389 -j ACCEPT    # LDAP 
$IPTABLES -A OUTPUT -p tcp --dport 636 -j ACCEPT    # LDAP over SSL 

# Network Services
$IPTABLES -A OUTPUT -p tcp --dport 43 -j ACCEPT     # WhoIs
$IPTABLES -A OUTPUT -p tcp --dport 427 -j ACCEPT    # Service Location Protocol
$IPTABLES -A OUTPUT -p udp --dport 1900 -j ACCEPT   # UPnP - Peripheriques reseau

##############
# File share
##############

echo -e " ... File share"
$IPTABLES -A OUTPUT -p udp --dport 137 -j ACCEPT    # NetBios Name Service
$IPTABLES -A OUTPUT -p udp --dport 138 -j ACCEPT    # NetBios Data Exchange
$IPTABLES -A OUTPUT -p tcp --dport 139 -j ACCEPT    # NetBios Session + Samba
$IPTABLES -A OUTPUT -p tcp --dport 445 -j ACCEPT    # CIFS - Partage Win2K and more

Allow all reserved ports

All the ports between 0:1024 belongs to well-known network protocol and usage. So, instead of acting as paranoid, you can open the ports between 0:1024.

You can consult the full list over here: http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

IPTABLES=`which iptables`

echo -e " ... Allow all standards ports between 0:1024"
$IPTABLES -A OUTPUT -p tcp --dport 0:1024 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 0:1024 -j ACCEPT

Other common outputs

You can increase the previous list, at least for:

Network printing, Apple integration, ...
Communications tools: Skype, Google hangout, ...
Videos and streaming: YouTube, NetFlix, ...

IPTABLES=`which iptables`

####### Printing
$IPTABLES -A OUTPUT -p tcp --dport 515 -j ACCEPT    # LDP / Print
$IPTABLES -A OUTPUT -p tcp --dport 631 -j ACCEPT    # IPP (printing protocol)

###### Apple specifics
$IPTABLES -A OUTPUT -p tcp --dport 3283 -j ACCEPT   # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p udp --dport 3283 -j ACCEPT   # Apple Remote Desktop version 3
$IPTABLES -A OUTPUT -p tcp --dport 548 -j ACCEPT    # Apple File Sharing Protocol

####### Streaming
$IPTABLES -A OUTPUT -p tcp --dport 554 -j ACCEPT    # RTSP Streaming audio / video
$IPTABLES -A OUTPUT -p tcp --dport 1234 -j ACCEPT   # InfoSeek (VLC)
$IPTABLES -A OUTPUT -p udp --dport 1234 -j ACCEPT   # VLC RTSP
$IPTABLES -A OUTPUT -p tcp --dport 4070 -j ACCEPT   # Spotify - Audio Streaming
$IPTABLES -A OUTPUT -p udp --dport 4070 -j ACCEPT   # Spotify - Audio Streaming
 
###### Communication
$IPTABLES -A OUTPUT -p tcp --dport 119 -j ACCEPT    # NewsGroup
$IPTABLES -A OUTPUT -p tcp --dport 1863 -j ACCEPT   # MSN
$IPTABLES -A OUTPUT -p tcp --dport 5060 -j ACCEPT   # SIP -VoIP-
$IPTABLES -A OUTPUT -p udp --dport 5060 -j ACCEPT   # SIP -VoIP-
$IPTABLES -A OUTPUT -p tcp --dport 5061 -j ACCEPT   # MS Lync
$IPTABLES -A OUTPUT -p tcp --dport 5222 -j ACCEPT   # Google talk

IT ports

If you ever install Cherokee instead of Apache2 or Webmin as administration tool, then you'll need:

IPTABLES=`which iptables`

$IPTABLES -A OUTPUT -p tcp --dport 9090 -j ACCEPT   # Cherokee admin pages (alt. web server administration)

$IPTABLES -A OUTPUT -p tcp --dport 10000 -j ACCEPT  # Webmin - Services and configuration
$IPTABLES -A OUTPUT -p tcp --dport 20000 -j ACCEPT  # Webmin - Users management

$IPTABLES -A OUTPUT -p tcp --dport 10050 -j ACCEPT  # Zabbix agent
$IPTABLES -A OUTPUT -p tcp --dport 10051 -j ACCEPT  # Zabbix server

# ELK (ElasticSearch, Logstash, Kibana)
$IPTABLES -A OUTPUT -p tcp --dport 9200 -j ACCEPT   # HTTP
$IPTABLES -A OUTPUT -p tcp --dport 9300 -j ACCEPT   # Transport
$IPTABLES -A OUTPUT -p tcp --dport 54328 -j ACCEPT  # Multicasting
$IPTABLES -A OUTPUT -p udp --dport 54328 -j ACCEPT  # Multicasting

Dashboard

Dashing is a dashboard solution. It's very nice and handy to monitor your IT | applications. It's running on TCP 3030.

IPTABLES=`which iptables`

$IPTABLES -A OUTPUT -p tcp --dport 3030 -j ACCEPT

Development ports

The following ports are required if you to some development.

IPTABLES=`which iptables`


####### Standard dev. 
# SVN server
$IPTABLES -A OUTPUT -p tcp --dport 3690 -j ACCEPT
# SONAR (dev quality)
$IPTABLES -A OUTPUT -p tcp --dport 9000 -j ACCEPT
# GIT server
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT


####### JAVA
$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT                # HTTP alt.
$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT                # HTTPS alt.
####### JAVASCRIPT
$IPTABLES -A OUTPUT -p tcp --dport 3000 -j ACCEPT                # NodeJS TSC lite-server
$IPTABLES -A OUTPUT -p tcp --dport 3001 -j ACCEPT                # NodeJS Browser sync
# JBoss wildfly 
$IPTABLES -A OUTPUT -p tcp --dport 9990 -j ACCEPT                # Wildfly administration
# Glassfish
$IPTABLES -A OUTPUT -p tcp --dport 4848 -j ACCEPT                # Glassfish administration
$IPTABLES -A OUTPUT -p tcp --dport 1527 -j ACCEPT                # Glassfish security manager
$IPTABLES -A OUTPUT -p tcp --dport 1099 -j ACCEPT                # JMX default JVM RMI port


####### Databases 
# MySQL
$IPTABLES -A OUTPUT -p tcp --dport 3306 -j ACCEPT
# Postgresql
$IPTABLES -A OUTPUT -p tcp --dport 5432 -j ACCEPT
# Microsoft MsSQL (2008 and later)
$IPTABLES -A OUTPUT -p tcp --dport 1433 -j ACCEPT
# Microsoft MsSQL (2005 specifics)
$IPTABLES -A OUTPUT -p udp --dport 1434 -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp --dport 1434 -j ACCEPT



####### Messaging 
# Open MQ (bundled with Glassfish)
$IPTABLES -A OUTPUT -p tcp --dport 7676 -j ACCEPT
# Active MQ
$IPTABLES -A OUTPUT -p tcp --dport 8161 -j ACCEPT                # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 8162 -j ACCEPT                # HTTPS console
$IPTABLES -A OUTPUT -p tcp --dport 61616 -j ACCEPT               # JMS queues
# Rabbit MQ
$IPTABLES -A OUTPUT -p tcp --dport 15672 -j ACCEPT               # HTTP console
$IPTABLES -A OUTPUT -p tcp --dport 5672 -j ACCEPT                # AMPQ protocol

Gaming

Diablo 3

Official documentation: https://us.battle.net/support/en/article/firewall-proxy-router-and-port-configuration

TCP & UDP 80, 443, 1119
TCP & UDP 1119-1120, 3724, 4000, 6112-6114
TCP & UDP 6115-6120

IPTABLES=`which iptables`

################################
# Blizzard Diablo 3
################################
# Battle.net Desktop Application
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1119 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1119 -j ACCEPT


# Blizzard Downloader
$IPTABLES -A OUTPUT -p tcp --dport 1119 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1120 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 3724 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4000 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 6112:6114 -j ACCEPT

$IPTABLES -A OUTPUT -p udp --dport 1119 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 1120 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 3724 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 4000 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 6112:6114 -j ACCEPT


# Diablo 3
$IPTABLES -A OUTPUT -p udp --dport 6115:6120 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 6115:6120 -j ACCEPT

Note: You might need to stop your firewall (= allow all OUTPUT) for the installation and updates. That's because Blizzard is using some random port. :_(

Anonymous

Search

Navigation

Navigation

Categories

Wiki tools

Wiki tools

Difference between revisions of "Firewall OUTPUT filters"

Namespaces

Page actions

Latest revision as of 19:58, 12 October 2016

Contents

Output view

Basic outputs

Mandatory output

Allow all reserved ports

Other common outputs

IT ports

Dashboard

Development ports

Gaming

Diablo 3

@@ Line 2: / Line 2: @@
+=Output view=
-=OUTPUT filters=
+Output filters output:
+[[File:Output filters.png|none|Output filters]]
-[[File:Output filters.png|none|Output filters]]
-==Basic outputs==
+=Basic outputs=
-You can find the basics OUTPUT rules over here: [[Firewall basics#Allow_services_and_network_protocols]]
+You can find the basics OUTPUT rules over here: [[Firewall core (main) protocols]]
-==Mandatory output==
+=Mandatory output=
 This is the VERY MINIMUM you need to run a computer:
@@ Line 37: / Line 38: @@
 # Remote Control
 $IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT     # SSH (default port)
+$IPTABLES -A OUTPUT -p tcp --dport 6000:6063 -j ACCEPT     # SSH X11 forwarding
 $IPTABLES -A OUTPUT -p tcp --dport 23 -j ACCEPT     # Telnet
 # Web
@@ Line 54: / Line 56: @@
 $IPTABLES -A OUTPUT -p tcp --dport 3389 -j ACCEPT   # Windows Remote Desktop (terminal Server)
 $IPTABLES -A OUTPUT -p tcp --dport 5900 -j ACCEPT   # VNC and Apple Remote Desktop
+$IPTABLES -A OUTPUT -p tcp --dport 4000 -j ACCEPT          # NoMachine LAN access
+$IPTABLES -A OUTPUT -p tcp --dport 4080 -j ACCEPT          # NoMachine HTTP access
+$IPTABLES -A OUTPUT -p tcp --dport 4443 -j ACCEPT          # NoMachine HTTPS access
+$IPTABLES -A OUTPUT -p udp --dport 4011:4999 -j ACCEPT     # NoMachine UDP transmission
@@ Line 99: / Line 106: @@
 </syntaxhighlight>
+=Allow all reserved ports=
-==Allow all reserved ports==
 All the ports between 0:1024 belongs to well-known network protocol and usage.
@@ Line 121: / Line 126: @@
-==Other common outputs==
+=Other common outputs=
 You can increase the previous list, at least for:
@@ Line 160: / Line 165: @@
-==IT ports==
+=IT ports=
 If you ever install Cherokee instead of Apache2 or Webmin as administration tool, then you'll need:
@@ Line 173: / Line 178: @@
 $IPTABLES -A OUTPUT -p tcp --dport 20000 -j ACCEPT  # Webmin - Users management
+$IPTABLES -A OUTPUT -p tcp --dport 10050 -j ACCEPT  # Zabbix agent
+$IPTABLES -A OUTPUT -p tcp --dport 10051 -j ACCEPT  # Zabbix server
+# ELK (ElasticSearch, Logstash, Kibana)
+$IPTABLES -A OUTPUT -p tcp --dport 9200 -j ACCEPT   # HTTP
+$IPTABLES -A OUTPUT -p tcp --dport 9300 -j ACCEPT   # Transport
+$IPTABLES -A OUTPUT -p tcp --dport 54328 -j ACCEPT  # Multicasting
+$IPTABLES -A OUTPUT -p udp --dport 54328 -j ACCEPT  # Multicasting
+</syntaxhighlight>
+=Dashboard=
+Dashing is a dashboard solution. It's very nice and handy to monitor your IT | applications. It's running on TCP 3030.
+<syntaxhighlight lang="bash">
+IPTABLES=`which iptables`
+$IPTABLES -A OUTPUT -p tcp --dport 3030 -j ACCEPT
 </syntaxhighlight>
-==Development ports==
+=Development ports=
 The following ports are required if you to some development.
@@ Line 196: / Line 222: @@
 ####### JAVA
-$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT                # Tomcat / Application server container
+$IPTABLES -A OUTPUT -p tcp --dport 8080 -j ACCEPT                # HTTP alt.
+$IPTABLES -A OUTPUT -p tcp --dport 8443 -j ACCEPT                # HTTPS alt.
+####### JAVASCRIPT
+$IPTABLES -A OUTPUT -p tcp --dport 3000 -j ACCEPT                # NodeJS TSC lite-server
+$IPTABLES -A OUTPUT -p tcp --dport 3001 -j ACCEPT                # NodeJS Browser sync
+# JBoss wildfly
+$IPTABLES -A OUTPUT -p tcp --dport 9990 -j ACCEPT                # Wildfly administration
+# Glassfish
 $IPTABLES -A OUTPUT -p tcp --dport 4848 -j ACCEPT                # Glassfish administration
 $IPTABLES -A OUTPUT -p tcp --dport 1527 -j ACCEPT                # Glassfish security manager
@@ Line 205: / Line 238: @@
 # MySQL
 $IPTABLES -A OUTPUT -p tcp --dport 3306 -j ACCEPT
+# Postgresql
+$IPTABLES -A OUTPUT -p tcp --dport 5432 -j ACCEPT
 # Microsoft MsSQL (2008 and later)
 $IPTABLES -A OUTPUT -p tcp --dport 1433 -j ACCEPT
@@ Line 226: / Line 261: @@
 </syntaxhighlight>
+=Gaming=
+==Diablo 3==
+Official documentation: https://us.battle.net/support/en/article/firewall-proxy-router-and-port-configuration
-=INPUT filters: servers=
-[[File:Input filters.png|none|Input filters]]
-==SSH==
-<syntaxhighlight lang="bash">
-# SSH - max 3 connection request per minute
-$IPTABLES -A INPUT -p tcp -m limit 3/min --limit-burst 3 --dport 22 -j ACCEPT
-</syntaxhighlight>
-==DHCP==
+* TCP & UDP 80, 443, 1119
+* TCP & UDP 1119-1120, 3724, 4000, 6112-6114
+* TCP & UDP 6115-6120
-This is how you enable a DHCP server with TFTP (netBoot) :
 <syntaxhighlight lang="bash">
 IPTABLES=`which iptables`
-# Allow LAN communication
+################################
-# ... Required for NFS and the NetBoot ...
+# Blizzard Diablo 3
-$IPTABLES -A INPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
+################################
-$IPTABLES -A OUTPUT -s $LAN_ADDRESS -d $LAN_ADDRESS -m state ! --state INVALID -j ACCEPT
+# Battle.net Desktop Application
+$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
-########################
+$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
-# INPUT filters
+$IPTABLES -A OUTPUT -p tcp --dport 1119 -j ACCEPT
-########################
-##### DHCP client ######
-# Broadcast IP request
-$IPTABLES -A OUTPUT -p udp -d 255.255.255.255 --sport 68 --dport 67 -j ACCEPT
-# Send / reply to IPs requests
-$IPTABLES -A INPUT -p udp -s 255.255.255.255 --sport 67 --dport 68 -j ACCEPT
-###### DHCP server ######
-# Received client's requests [udp + tcp]
-$IPTABLES -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
-$IPTABLES -A INPUT -p tcp --sport 68 --dport 67 -j ACCEPT
-# NetBoot - TFTP server
-$IPTABLES -A INPUT -p udp -s $LAN_ADDRESS --dport 69 -j ACCEPT
-########################
-# OUTPUT filters
-########################
-# DHCP [udp + tcp]
-$IPTABLES -A OUTPUT -p udp --dport 67 -j ACCEPT
-$IPTABLES -A OUTPUT -p tcp --dport 67 -j ACCEPT
-$IPTABLES -A OUTPUT -p udp --dport 68 -j ACCEPT
-$IPTABLES -A OUTPUT -p tcp --dport 68 -j ACCEPT
-# TFTP NetBoot
-$IPTABLES -A OUTPUT -p udp --dport 69 -j ACCEPT
-</syntaxhighlight>
-Note the difference between the broadcast request that every computer should allow and the plain OUTPUT allow on ports 67,68 for the DHCP server !!
-==LDAP==
-<syntaxhighlight lang="bash">
-$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 389 -j ACCEPT # LDAP
-$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 636 -j ACCEPT # LDAPS
-</syntaxhighlight>
-==NFS==
-It's really tricky to adjust the firewall for NFS as the port is dynamic. But option is to allow LAN traffic and use NFS over LAN only.
-=Advanced feature=
-==Port forwarding==
-===Principle===
-The aim is to reach a server located behind the actual server we are working on.
-'''Basic proxy'''
-[[File:FW_port_forwarding.png|none|FW port forwarding - without NAT]]
-In this case the target port number is the same as the source port.
-This is a RISK because we exposed to Internet the schema of our Network.
-'''Advanced proxy'''
-[[File:FW_port_forwarding_with_NAT.png|none|FW port forwarding - with NAT]]
-Here, the source and target port numbers are different. That's better but you need to maintain a 'IN / OUT ports matching table' as IT admin.
-===How to===
-To do a port forwarding you have to:
-* Allow some source IP / hosts to use forwarding
-* Create some forward target
-* Open the incoming port [input + output]
-* Register the target server and allow POST-ROUTING operations on it
-* Route the incoming port to the target server + port number
-[[File:Proxy forward howto.png|none|Proxy how-to]]
-Requirements:
-* Enable port forwading
-* The current server must be able to reach the target {server,port}
-===IpTables script===
-You have to declare the following only ONCE in all your FW script:
-'''Enable module'''
-<syntaxhighlight lang="bash">
-#### Requirement: enable port forwarding in general
-echo 1 > /proc/sys/net/ipv4/conf/eth0/forwarding
-echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-</syntaxhighlight>
-<syntaxhighlight lang="bash">
-### Allow forward from IP@...
-$IPTABLES -A FORWARD -s 91.121.17.114 -j ACCEPT		# work
-$IPTABLES -A FORWARD -s 5.39.81.23 -j ACCEPT	        # family VPN
-$IPTABLES -A FORWARD -s 192.168.18.0 -j ACCEPT	        # home
-### Open incoming ports [=from ports]...
-$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
-$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
-### Declare forward targets [=to]...
-$IPTABLES -A POSTROUTING -d 192.168.18.2 -t nat -j MASQUERADE            # Email server
-$IPTABLES -A POSTROUTING -d 192.168.18.5 -t nat -j MASQUERADE            # JEE server
-### Redirect FROM (IP:port) TO (server:port)
-$IPTABLES -A PREROUTING -t nat -p tcp --dport 25 -j DNAT --to 192.168.18.2:25
-$IPTABLES -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 192.168.18.5:8080
-</syntaxhighlight>
-===Port forwarding VS proxy===
-Usually '''it's better to proxy than forward'''.
-So if you can use the Apache2 proxy to redirect "http://mysite/myApp" to your sub-server Apache2 "/myApp" - DO IT !
-My advice:
-Only use port forwarding when there are no other choice.
-==Source address filtering==
-You can restricted the access of a particular service to a limited set of source networks, IP @.
-Example:
-<syntaxhighlight lang="bash">
-# Only allow company's offices to access our Tomcat
-$IPTABLES -A INPUT -p tcp --dport 8088 -s 192.168.1.0/24 -j ACCEPT           # Sweden LAN
-$IPTABLES -A INPUT -p tcp --dport 8088 -s 90.83.80.64/27 -j ACCEPT           # FR remote
-$IPTABLES -A INPUT -p tcp --dport 8088 -s 90.83.80.123/27 -j ACCEPT          # FR remote
-$IPTABLES -A INPUT -p tcp --dport 8088 -s 77.68.140.115/24 -j ACCEPT         # DK remote
-$IPTABLES -A INPUT -p tcp --dport 8088 -s 0.0.0.0/0 -j DROP             # DROP all the rest !
-</syntaxhighlight>
-Don't forget to drop all the rest at the end  !!
-'''Advanced version''': for loop
-<syntaxhighlight lang="bash">
-ALLOWED_REMOTE_IPS=(
-.101.122.64/27            # French office
-.12.118.194               # Sweden codriver.vehco.com
-.12.118.196               # Sweden code.vehco.com
-.121.17.114                # French RTD preprod [VPN]
-)
-# enable access to services (HTTP)
-for ipList in ${ALLOWED_REMOTE_IPS[@]}
-do
-$IPTABLES -A INPUT -p tcp --dport 80 -s $ipList -j ACCEPT
-done
-# disable for everyone else
-$IPTABLES -A INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 80 -j DROP
-</syntaxhighlight>
-==Block an IP address or network==
-To block a specific ''IP address'':
-<syntaxhighlight lang="bash">
+$IPTABLES -A OUTPUT -p udp --dport 80 -j ACCEPT
-$IPTABLES -A INPUT  -s 192.168.6.66/32 -j DROP
+$IPTABLES -A OUTPUT -p udp --dport 443 -j ACCEPT
-</syntaxhighlight>
+$IPTABLES -A OUTPUT -p udp --dport 1119 -j ACCEPT
+# Blizzard Downloader
+$IPTABLES -A OUTPUT -p tcp --dport 1119 -j ACCEPT
+$IPTABLES -A OUTPUT -p tcp --dport 1120 -j ACCEPT
+$IPTABLES -A OUTPUT -p tcp --dport 3724 -j ACCEPT
+$IPTABLES -A OUTPUT -p tcp --dport 4000 -j ACCEPT
+$IPTABLES -A OUTPUT -p tcp --dport 6112:6114 -j ACCEPT
-To block a ''network''
+$IPTABLES -A OUTPUT -p udp --dport 1119 -j ACCEPT
+$IPTABLES -A OUTPUT -p udp --dport 1120 -j ACCEPT
+$IPTABLES -A OUTPUT -p udp --dport 3724 -j ACCEPT
+$IPTABLES -A OUTPUT -p udp --dport 4000 -j ACCEPT
+$IPTABLES -A OUTPUT -p udp --dport 6112:6114 -j ACCEPT
-<syntaxhighlight lang="bash">
+# Diablo 3
-$IPTABLES -A INPUT  -s 10.66.6.0/24 -j DROP
+$IPTABLES -A OUTPUT -p udp --dport 6115:6120 -j ACCEPT
+$IPTABLES -A OUTPUT -p tcp --dport 6115:6120 -j ACCEPT
 </syntaxhighlight>
+Note: You might need to stop your firewall (= allow all OUTPUT) for the installation and updates. That's because Blizzard is using some random port. :_(
-=Scripts=
-To use the firewall you need to:
-* Have a '''firewall start''' script
-* Have a '''firewall stop''' script
-* Have a '''firewall launcher''' script
-* Register the firewall to the boot sequence
-==Firewall start script==
-My firewall start script: http://www.daxiongmao.eu/wiki_upload_files/firewall/firewall-start.sh
-==NetBoot client Firewall start script==
-My NetBoot firewall start script (LAN only): http://www.daxiongmao.eu/wiki_upload_files/firewall/firewall-nfs-client.sh
-==Firewall stop script==
-My firewall stop script: http://www.daxiongmao.eu/wiki_upload_files/firewall/firewall-stop.sh
-==Firewall launcher script==
-My firewall stop script: http://www.daxiongmao.eu/wiki_upload_files/firewall/firewall.sh
-==Installation==
-* Download and adjust all the previous scripts.
-* Put all the scripts in '''/etc/firewall/''' and set the execution rights
-<syntaxhighlight lang="bash">
-mkdir /etc/firewall
-cp firewall* /etc/firewall/
-chmod -R 755 /etc/firewall
-</syntaxhighlight>
-* Create some symlink for the firewall
-<syntaxhighlight lang="bash">
-ln -s /etc/firewall/firewall.sh /usr/bin/firewall
-ln -s /etc/firewall/firewall.sh /etc/init.d/firewall
-</syntaxhighlight>
-* Register firewall script to boot sequence
-<syntaxhighlight lang="bash">
-cd /etc/init.d
-update-rc.d firewall defaults
-</syntaxhighlight>
-Reboot and check that the firewall is up with:
-<syntaxhighlight lang="bash">
-firewall status
-</syntaxhighlight>
-=Note=
-All this knowledge is the result of years of experiments and trials. Don't hesitate to search over Internet for more advanced || simpler rules.
-=References=
-* My education at Telecom Bretagne [http://www.telecom-bretagne.eu/] && Chalmers [http://www.chalmers.se/en/]
-* How to set IPv4 as default: http://bruteforce.gr/make-apt-get-use-ipv4-instead-ipv6.html
-* Working years and some co-workers help:
-** Julien Rialland

Anonymous

Search

Navigation

Wiki tools

Page tools

Categories

Difference between revisions of "Firewall OUTPUT filters"

Latest revision as of 19:58, 12 October 2016

Contents

Output view

Basic outputs

Mandatory output

Allow all reserved ports

Other common outputs

IT ports

Dashboard

Development ports

Gaming

Diablo 3