Iptables: Blocking outbound traffic except to certain IP addresses

Using iptables, I need to block all outbound traffic on my server, except:

  • SSH access to a small number of IP addresses
  • HTTPS access to the same small list of IP addresses

Can anybody show me a suitable set of rules?

Thank you.


Solution 1:

iptables -I OUTPUT -d <remote_ip> -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -s <remote_ip> -p tcp --sport 22 -j ACCEPT
iptables -I OUTPUT -d <remote_ip> -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -s <remote_ip> -p tcp --sport 443 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP

You will need to put in the first 4 rules for each of the IPs. Be warned, though, because you will have to log in via the console on this machine; all other access to it will be blocked.

Solution 2:

Now I understand the context of your quesiton, try:

iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 8.8.8.8 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -s 8.8.8.8 --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.11.12.13/24 --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.11.12.13/24 --dport 443 -j ACCEPT

And so on. That will set the default policy to DROP and then only allow IP addresses (or ranges) listed access. The second line allows related traffic (eg outbound packets for an ongoing SSH session), the third and fourth examples for your DNS lookups.

Don't forget you'll need an INPUT rule similar to line 2.