[clue-tech] port access protocol restriction?

David Anselmi anselmi at anselmi.us
Wed May 11 22:02:30 MDT 2005 

This turned out to be a bit of a rant, sorry.  The useful bit is at the end.

Jim Ockers wrote:
> Does anyone know how, using Linux of course, to restrict traffic
> that passes through a Linux NAT router/firewall by protocol?

You mean filter at layer 7, or application protocol (as opposed to IP 
protocol number, for example).  If you really need that this might be a 
good place to start:

http://l7-filter.sourceforge.net/L7-HOWTO-Netfilter

> Suppose I have the following rule in place because I want to
> allow the IMAP2 protocol and nothing else, and I specifically
> want to deny web access.
> 
> iptables -t filter -A FORWARD -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT

You didn't say but I infer that you mean you want to block traffic from 
your network out to the Internet, except for specific approved ports.

What's your security policy (and why)?  I ask because without a "these 
users can't be allowed to do this because..." type statement, security 
like this gets stupid really quickly.  Seriously.  I use an app that 
requires me to use 5 passwords to get to, and I run citrix to run citrix 
to run citrix to run the app.  I'm allowed access to anything I need on 
all the networks involved, but bad policy says that I can only go one 
hop at a time.  Hmm... I should probably rattle my cup on the bars over 
that.

Anyway, I used to support state governments that had "block all 
outgoing" type policies.  We had a license server their users needed. 
It didn't run on port 80 or any of the standard ports so it wasn't 
allowed by default.  Whenever we moved the server to a different IP, we 
had to give warning plenty in advance and spend a few weeks after 
getting the admins to adjust their rules so their users could use our 
licenses.

I'm thinking those admins should have had something better to do than 
update outgoing firewall rules.  I was tempted to change our server IPs 
frequently to give them a headache (the name never changed, which is all 
the users should have needed).  Sure, I can imagine cases where strict 
egress filtering might be warranted.  But there's a big cost (not only 
to admins, but to sophisticated users who have to give up useful tools 
or find workarounds, or even just fill out the forms to get their ports 
opened).

[...]
> How can I make sure that only valid IMAP traffic passes through
> port 143, and that there is no HTTP or HTTPS traffic?  (And there
> should not be any SSL traffic at all since that's not the IMAPS
> port.)

You deny access to the Internet entirely.  Only allow internal users to 
connect to internal application proxies.  The proxies enforce your 
policies (only valid traffic for that app, only to approved servers, 
etc.)  It isn't a iptables problem, it's a squid problem.

'Course maybe you have to write your own IMAP proxy.  Oh, of course not:

http://www.imapproxy.org/

But maybe you have to add support for your policies.  (And if you're 
trying to use it as a security app when it wasn't designed that way, 
better audit the code.)

Dave

More information about the clue-tech mailing list