-2

So i want to block all unwanted out-bound traffic , specially traffic from unwarranted allowed ports both TCP and UDP and also get a email alert if any script or app tries to contact outbound port.

eg; if someone installs a IRC chat script, it should be block when deamon attempts to run and connect on configured outbound port etc.

I want a script to get all the attempt of this outbound traffic and email it so i can see the atttempts done.

The allowed ports will be the usual 80,993,25,3006 and other normal hosting related ports.

how do i proceed to make such setup? to start i can think of csf/apf and or tcp_wrapper with some iptables and finish it with bash script to collect/email the attempt. can someone guide me exactly on this?

thanks.

Linux unmastered
  • 1

1 Answers1

1

Setup iptables to allow traffic to the ports you want, and log and reject everything else. 

iptables --policy OUTPUT DROP
iptables --append INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables --append OUTPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables --append OUTPUT --protocol udp --match multiport --dports domain,bootps --jump ACCEPT
iptables --append OUTPUT --protocol tcp --match multiport --dports domain,http,https,ssh,pop3s,imaps,submission --jump ACCEPT
iptables --append OUTPUT --jump LOG --log-prefix 'OUT-REJECT '
iptables --append OUTPUT --jump REJECT

Then write a script in a cronjob to parse the logs for reject packets and compile a report. This would list the rejected destination ports along with a count of the attempts.

#!/bin/sh
grep OUT-REJECT /var/log/syslog | egrep -o 'DPT=[0-9]+' | sort | uniq -c
mgorven
  • 30,036
  • 7
  • 76
  • 121