Blocking Outbound Ip
10.0.1.25 = LDAP Server
10.0.1.102 = DNS Server
10.0.1.103 = Trusted Host 1
10.0.1.27 = Trusted Host 2
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [197:20792]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.1.25/32 -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.1.25/32 -p tcp -m tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.1.25/32 -p udp -m udp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.1.25/32 -p udp -m udp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -d 10.0.1.25/32 -p tcp -m multiport --dport 389 -j ACCEPT
-A OUTPUT -d 10.0.1.25/32 -p tcp -m multiport --dport 636 -j ACCEPT
-A OUTPUT -d 10.0.1.25/32 -p udp -m multiport --dport 389 -j ACCEPT
-A OUTPUT -d 10.0.1.25/32 -p udp -m multiport --dport 636 -j ACCEPT
-A OUTPUT -p udp -d 10.0.1.102 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -s 10.0.1.102 --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -d 10.0.1.102 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -s 10.0.1.102 --sport 53 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.1.103/32 -j ACCEPT
-A INPUT -s 10.0.1.27/32 -j ACCEPT
-A OUTPUT -d 10.0.1.27/32 -j ACCEPT
-A OUTPUT -d 10.0.1.103/32 -j ACCEPT
COMMIT
Basically once you've been able to login to the console simply save the above to some temporary file (for this example we will call it rules.txt.)
# cat rules.txt|iptables-restore
This will permit ldap authentication from your ldap host. This will permit dns queries to your resolver host. This will permit all ip from (2) trusted hosts. Everything else is blocked. This is so you can prevent the host from running anything that connects to some remote host giving you time to study a server that has been owned.
page revision: 1, last edited: 24 Mar 2015 14:25