Firewalling Trojans with iptables 1

[Tels]

Is there any way to block trojans from making outgoing connections (using iptables) without blocking your normal outgoing connections?

- We only intend to have html requests outgoing, after which of course, any successive connections would be related (stateful firewall)

cheers

Tels
for pint$ = 1 to 20
for pint$ = pint$ + 1
if pint$ = 20 goto HOME
next pint$

 

[ifincham]

Hi,









There are basically two approaches when designing the firewall rules : (i) set the defaults to ALLOW and then code individual rules that reject stuff you don't want; (ii) set the defaults to DROP and code rules to allow what you do want. Most people tend to use the first option or at least set the OUTPUT chain to default to ACCEPT.









For maximum security you should really set all the defaults to DROP and then code to accept what you know about. It's difficult to block trojans unless you do this because a lot of these programs can set any port they like to operate on even though they may have well known defaults. The following is an example of iptables rules for the INPUT & OUTPUT chains to permit tcp port 80.








/sbin/iptables -F INPUT



/sbin/iptables -F FORWARD



/sbin/iptables -F OUTPUT



/sbin/iptables -P INPUT DROP


/sbin/iptables -P FORWARD DROP


/sbin/iptables -P OUTPUT DROP


/sbin/iptables -A OUTPUT -i eth0 -p TCP --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT









If you are using ip forwarding you also have to code the FORWARD chain too...









Regards