Recipe 2.5 Blocking Outgoing Traffic

2.5.1 Problem

Drop all outgoing network traffic. If possible, do not affect incoming traffic.

2.5.2 Solution

For iptables:

# iptables -F OUTPUT
# iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -j REJECT

For ipchains:

# ipchains -F output
# ipchains -A output -p tcp ! --syn -j ACCEPT
# ipchains -A output -j REJECT

Depending on your shell, you might need to escape the exclamation point.

2.5.3 Discussion

This recipe takes advantage of iptables's statefulness. iptables can tell the difference between outgoing traffic initiated from the local machine and outgoing traffic in response to established incoming connections. The latter is permitted, but the former is not.

ipchains is stateless but can recognize (and reject) packets with the SYN bit set and the ACK and FIN bits cleared, thereby permitting established and incoming TCP connections to function. However, this technique is insufficient for UDP exchanges: you really need a stateful firewall for that.

2.5.4 See Also

iptables(8), ipchains(8).