I have a server running Ubuntu 16.04 with an application that only needs outgoing connections for package updates and NTP time syncing. It has a dynamic IPv6 address on a separate network interface for this purpose. All other connections are via the LAN on another interface, which has no gateway to the WAN.
I'd like to secure this machine by disallowing any outgoing connections other than for package updates and NTP time syncing.
However, when I try the following rules, nothing is being blocked:
ip6tables -A OUTPUT -o lo -p all -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT
ip6tables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m owner --uid-owner systemd-timesync -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 53 -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT
while read p; do
ip6tables -A OUTPUT -d $p -j ACCEPT
done < firewall/hosts-to-allow.list
ip6tables -A OUTPUT -o ens18 -j REJECT
Note that incoming icmpv6 requests are allowed, but all other incoming ports are blocked.
Note that in a previous state of this question, I'd erroneously dropped all packets first after logging them.
The applied rules are as follows:
Chain INPUT (policy ACCEPT 70 packets, 126K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all * lo ::/0 ::/0
8 536 ACCEPT icmpv6 * * ::/0 ::/0
67 6405 ACCEPT all * * ::/0 ::/0 state NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:53
0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:53
0 0 ACCEPT udp * * ::/0 ::/0 owner UID match 100
0 0 ACCEPT tcp * * ::/0 2001:67c:1560:8001::14
0 0 ACCEPT tcp * * ::/0 2001:67c:1360:8001::17
0 0 ACCEPT tcp * * ::/0 2001:67c:1360:8001::21
0 0 ACCEPT tcp * * ::/0 2001:67c:1560:8001::11
0 0 ACCEPT udp * * ::/0 2001:67c:1560:8001::14
0 0 ACCEPT udp * * ::/0 2001:67c:1360:8001::17
0 0 ACCEPT udp * * ::/0 2001:67c:1360:8001::21
0 0 ACCEPT udp * * ::/0 2001:67c:1560:8001::11
0 0 ACCEPT tcp * * ::/0 2001:67c:1562::19
0 0 ACCEPT tcp * * ::/0 2001:67c:1560:8001::14
0 0 ACCEPT tcp * * ::/0 2001:67c:1562::16
0 0 ACCEPT tcp * * ::/0 2001:67c:1360:8001::21
0 0 ACCEPT tcp * * ::/0 2001:67c:1360:8001::17
0 0 ACCEPT tcp * * ::/0 2001:67c:1560:8001::11
0 0 ACCEPT udp * * ::/0 2001:67c:1562::19
0 0 ACCEPT udp * * ::/0 2001:67c:1560:8001::14
0 0 ACCEPT udp * * ::/0 2001:67c:1562::16
0 0 ACCEPT udp * * ::/0 2001:67c:1360:8001::21
0 0 ACCEPT udp * * ::/0 2001:67c:1360:8001::17
0 0 ACCEPT udp * * ::/0 2001:67c:1560:8001::11
0 0 REJECT all * ens18 ::/0 ::/0 reject-with icmp6-port-unreachable
Chain LOGGING (0 references)
pkts bytes target prot opt in out source destination