Topic: Deny Ports for outgoing traffic

[uli334]

Hello,

I'm using SME as firewall for a schools net. Now I want to block some ports for outgoing traffic (ICQ i.e.).
Does anyone know of contribs which allow blocking ports, or can give an example of setting the correct "masq" - rules to block outgoing ports or port-ranges?

Thank you,
uli334

[KaiNeR]

i recently installed snort,guardian & oink and guardian has 2 scripts built in for blocking and unblocking by ip address

its very simple to use

sh /sbin/guardian_block.sh <IP> eth0

or

sh /sbin/guardian_unblock.sh <IP> eth0


the settings are only applied for 24 hours or unless the server is rebooted, i think the scripts could be modified to block on a more permanent basis.

[crazybob]

you may want to look at
http://mirror.contribs.org/smeserver/contribs/jbennett/sme7/squidguard/

I am not shure if Squidguard will doo what you want, but it may be worth a try.

Bob

[uli334]

Hello,

no, I use SquidGuard for filtering Internet Traffic, so that our users can't reach some sites with unwanted content.
Also, I don't want to deny some IPs in the local network to reach the Internet.
What I want is to block the total traffic on some ports i.E. so that you can't use ICQ (Port 5190) on all machines in the local net.
That can only be reached by modifying the SMEs firewall rules (masq).
Maybe there is a contrib for that purpose, our an Example of closing one outgoing port...?

Greetings,
uli334

[KaiNeR]

sounds like a very good contrib, i think i will have to give it a try myself

[cjensen]

Submit a new feature request in bugzilla.  

I myself would be interested in this as I have been working to lock down more strictly several servers.  There is port-forwarding already that may be a good template.  I will look for a src and have a look.

Craig

[KaiNeR]

If you start me off requesting new features from SME i'll be doing it all day

I already think SME has so much useful features built in but a few other bits would make it unbeatable, even though its pretty close now.

I have tested Clarkconnect for several months to see how it panned out compared to SME. I did like the idea of a firewall panel with a status section to show you possible attacks and give you the chance to block the offending ip but that was about it.

I know SME manages the firewall on its own and there is no real need from user input. However i do think it would be nice to have some sort of iptraf implementation into the server manager so atleast the admin can view possible attacks and give an option to block if needed. I know this can be achieved in other ways (snort,guardian) but i really think snort and guardian should be built into the base. (Dont flame me for suggesting a base update,modification) I appreciate how much hard work the developers put into SME, i have read a topic reguarding how much time/effort needed to make changes to the base, i just thought it would be a cool feature that would attract more people to switching.

Thanks again to all the devs

[byte]

This is what I use to block outside AOL access for example...

Create your...

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Then 2 files...

00Definitions2
35SpecificBlocking

Then in the 00Definitions2 file put this in...

Code: [Select]

{
    $OUT .= <<HERE;

    LOCALIP=\$\(/sbin/e-smith/db configuration get LocalIP\)
    if [ -z "\$LOCALIP" ]
    then
        # Set LOCALIP to internal loopback
        OUTERNET=127.0.0.1
    fi

HERE
}



Note a return at bottom after }

And in 35SpecificBlocking

Code: [Select]

{
    $OUT = '';

        # Users on LAN are not allowed to access to AOL
        # servers on Internet.

        # Block any outgoing connections to AOL servers

        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 5190\\\n";
        $OUT .= "\t--jump LOG --log-prefix \"denylogaoloutside: \"\n";
        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 5190 --jump DROP\n";
}


Change "--dport 5190" to port you wish to change.

Now run expand-template \etc\rc.d\init.d\masq and restart service with service masq restart

Original thanks go to "Pascal Schirrmann" pointing me in right direction over on dev list a while ago.

[haymann]

A question from someone that doesn't know much about custom templates and scripting...

Can you repeat that code with different port numbers in the same custom template? For example:

Code: [Select]

{
    $OUT = '';

        # Users on LAN are not allowed to access to AOL
        # servers on Internet.

        # Block any outgoing connections to AOL servers

        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 5190\\\n";
        $OUT .= "\t--jump LOG --log-prefix \"denylogaoloutside: \"\n";
        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 5190 --jump DROP\n";
}

{
    $OUT = '';

        # Users on LAN are not allowed to access to Remote Desktop
        # servers on Internet.

        # Block any outgoing connections to Remote Desktop servers

        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 3389\\\n";
        $OUT .= "\t--jump LOG --log-prefix \"denylogRDoutside: \"\n";
        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 3389 --jump DROP\n";
}

Not that I want to block remote desktop at this point, it was just the first port to pop in my head...

Next question, can you block a range of ports in this fashion?
Ryan

[byte]

A question from someone that doesn't know much about custom templates and scripting...

Can you repeat that code with different port numbers in the same custom template? For example:

Code: [Select]

{
    $OUT = '';

        # Users on LAN are not allowed to access to AOL
        # servers on Internet.

        # Block any outgoing connections to AOL servers

        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 5190\\\n";
        $OUT .= "\t--jump LOG --log-prefix \"denylogaoloutside: \"\n";
        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 5190 --jump DROP\n";
}

{
    $OUT = '';

        # Users on LAN are not allowed to access to Remote Desktop
        # servers on Internet.

        # Block any outgoing connections to Remote Desktop servers

        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 3389\\\n";
        $OUT .= "\t--jump LOG --log-prefix \"denylogRDoutside: \"\n";
        $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
        $OUT .= "\t-i \$INTERNALIF -p tcp --dst ! \$LOCALIP --dport 3389 --jump DROP\n";
}

Not that I want to block remote desktop at this point, it was just the first port to pop in my head...

Should work, yes.

Next question, can you block a range of ports in this fashion?
Ryan

Yes, change the --dport 3389 to --dport 100:200 so it now blocks between 100-200

[mdo]

There was a contrib available for this request (to block specific outgoing ports) from Dungog (www.dungog.net) - but that was for SME6 only.
I do not believe they have a contrib for SME7 (yet) but it might be worthwhile to ask about that. Maybe it's possible to upgrade their old contrib?

Note: This might become a paid/sponsored task.
Michael

[haymann]

Should work, yes.

Next question, can you block a range of ports in this fashion?
Ryan

Yes, change the --dport 3389 to --dport 100:200 so it now blocks between 100-200

Excellent! Thanks!
Ryan

[stephen noble]

this method as a NFR
http://bugs.contribs.org/show_bug.cgi?id=2977

[raem]

> this method as a NFR
> http://bugs.contribs.org/show_bug.cgi?id=2977

I added details of this method to
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Firewall.2FPort_Forwarding.2COpening.2CBlocking
See "I want to block outgoing traffic from my server."

[arne]

If you want to control the traffic out from a school gateway I guess it will not be an effective method to block one and one port, at it will be "normal procedure" for some unwanted applications to just switch over to some other open port. It is easy to end up closing ports and ports, while it will never be enough of closed ports.

The other approach is to set the default policy for outgoing traffic to all closed and then to open one and one port as required. This will be a some more effective approach.

I have made such an firewall implementation on my Sme 7.2 and I am using it and testing it now. (Zero problems until now, but I like to test it longer and more over time.)

By the way applying major changes on the fireall system is generally a dangerous thing to do, jut to have mentioned that.

If it was "a quite usual thing" to make major changes on the sme server firealling system there would certainly be a nuber of sme servers that were hacked due to missconfiguration, and there would also be a number of "incorrect asked or missleading questions" on the support forum that will be asked as if it was a server issue, but that in the real life is related to a missconfigured firewall. (That's how it use to be with firewalls.)

The disadvantage of allying a "full packet filtration" of outgoing traffic is that there will be som users that will ask: Why does not service x work on my PC ? The standard answer will be: "You will have to send a request to the administrator get your client program on the list of approved traffic."

Even though you do a filtration of outgoing traffic it might still be possible to perform a irregular use of the approved ports. As an excample: port 443 is the port of the ssl encrypted web traffic (https://..) It is quite easy to set up any encrypted tunnel trough port 443 and for most firewalls will be rather difficult to tell the difference between a datastram contained encrypted ssl datas ans other encrypted datas. Some programs that might be unwanted has automated procedures for finding and using an open port 80 and an open port 443 in the outgoing traffic direction.

On the other hand a policy of allowing only certains ports and protocolls might reduce unwanted traffic.

I think it would require a rather big project to make major changes to the SME server firewlling system, but on the other hand to have an option: "Apply rules for restricted outgoing traffic" and then to leave open just a few standard ports for outgoing traffic, that might not reqire a big modification.

One other advantage of doing outgoing firewalling is that you can reduce the damage potencial, in some way, if internal (Widows) clients get hacked or infected by virus or other malware.)

By the way I was banned and refused to log on to the contribs.org for a few days.  Hopefully I will not be locked out again, even though mentioning a few words about security and firewalling.

By the way, I will try to send a suggestion to bugzilla about a "restricted traffic out" option, in the nearest future, if I'm not locked out again, as I believe such a modification (as an option) technically could be relatively easy implemented to the existing firewalling and template system, while on the other side having a major influence over the overall network security.