undefined | Better HN

0 pointsfidget10y ago0 comments

   -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # Create a chain for outgoing proxy traffic
    -N PROXY_OUT
    -A OUTPUT -m owner --uid-owner proxy -j PROXY_OUT

    # Allow replies to the requestor
    -A PROXY_OUT -p tcp --sport 8080 -j ACCEPT

    # Prevent proxy from talking to anything non HTTP{,s} (and DNS)
    -A PROXY_OUT -p tcp -m multiport ! --dports 80,443,53 -j DROP
    # Allow DNS udp
    -A PROXY_OUT -p udp --dport 53 -j ACCEPT

    # Allow the proxy to specific private ips (demos servers)
    -A PROXY_OUT -d xxx.xxx.xxx.xxx/32 -j ACCEPT

    # Prevent proxy from talking to anything private
    -A PROXY_OUT ! -o <%= @public_iface %> -j DROP
    -A PROXY_OUT -d 10.0.0.0/8 -j DROP
    -A PROXY_OUT -d 172.16.0.0/12 -j DROP
    -A PROXY_OUT -d 192.168.0.0/16 -j DROP

    # Prevent proxy from talking to services via public ips
    <% @aws_public_ips.each do |name, facts| %>
    # <%= name %>
    -A PROXY_OUT -d <%= facts['ec2_public_ipv4'] %>/32 -j DROP
    <% end %>

Anything I missed? Blocking outgoing ports is to taste.

0 comments

1 comments · 1 top-level

pfg10y ago

I would add:

-A PROXY_OUT -d 127.0.0.0/8 -j DROP

-A PROXY_OUT -d 169.254.0.0/16 -j DROP

That seems to cover everything in IPv4, but if you have IPv6 enabled, you probably want fd00::/8, fe80::/10 and ::1/128 as well (disclaimer: my knowledge of IPv6 is rather limited.)

j / k navigate · click thread line to collapse