Results 1 to 10 of 10

Thread: iptables to allow HTTPS connections only

  1. #1
    Join Date
    Oct 2010
    Beans
    5
    Distro
    Ubuntu 11.04 Natty Narwhal

    iptables to allow HTTPS connections only

    Hi

    I have tried to configure my iptables to allow only HTTPS connections to the internet. Unfortunately, I didn't get that to work. I configured it like this:
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
    iptables -A OUTPUT -t filter -p udp --dport https -j ACCEPT
    It does work, on the other hand, if I allow HTTP. But that's not really what I want..
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport http -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
    iptables -A OUTPUT -t filter -p udp --dport https -j ACCEPT
    Of course I am only trying to access websites via HTTPS Still, I was wondering if HTTPS somehow under the hood requires the HTTP port to be open or if my rules are in some other way wrong.

    I'd appreciate it, if somebody could give me a hint.

    - rethab

    ps: I got the rules from that website: http://www.linuxquestions.org/questi...owsing-443990/

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables to allow HTTPS connections only

    Keep in mind that not every site supports https.

    Might want to check out this browser plugin, since it would be easier to manage.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Oct 2010
    Beans
    5
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables to allow HTTPS connections only

    That is true and I knew that, but the thing is: I want users of that computer to only access websites that do support HTTPS.

    My question went more into 'should it generally be possible to allow only HTTPS connections via iptables'.

    Thanks anyway.

    edit: That computer is supposed to be used for online banking, which does support HTTPS. I want users to only use HTTPS. I think that cuts down many potential vulnerabilities (user caused). That is necessary in my opinion, since I can protect a computer only to a certain level from a technical point of view.

    - rethab
    Last edited by rethab; July 16th, 2011 at 12:06 PM.

  4. #4
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    5,421
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: iptables to allow HTTPS connections only

    My guess is that the sites you are trying to connect to have some parts that also require http. For instance, the login might be https, but that page might include scripts, images etc. that are referenced as http rather than https. Probably the easiest way to see is to opemn the firewall and visit the secure site in question which running "watch netstat -t" in a console window. If http connections open to the site as well, then it clearly needs http as well as https.

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: iptables to allow HTTPS connections only

    Quote Originally Posted by The Cog View Post
    My guess is that the sites you are trying to connect to have some parts that also require http.
    That would be my guess as well. The default port for web servers is 80 and for example, outside of login or other sensitive information, many sites, including mine are going to be using port 80.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: iptables to allow HTTPS connections only

    Quote Originally Posted by bodhi.zazen View Post
    That would be my guess as well. The default port for web servers is 80 and for example, outside of login or other sensitive information, many sites, including mine are going to be using port 80.
    Same with mine - it uses both http and https.

    It might be easier to just set up a proxy to block everything except this bank site.

    Take a look at this page.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  7. #7
    Join Date
    Oct 2010
    Beans
    5
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables to allow HTTPS connections only

    Okay, thank you all.

    Still, I thought if that page in question was using HTTPS for its main part and scripts and such via HTTP, wouldn't then the page be displayed but only without the scripts, images, etc? Because I'm getting a 'chrome cant find that page'..

    And thank you also for the other hints to solve that problem.

  8. #8
    Dangertux is offline Chocolate Ubuntu Mocha Blend
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: iptables to allow HTTPS connections only

    It depends on how the site is created. If the initial portal is entirely run on port 80 and you or your input is redirected to a secure server then no. The site would not neccessarily work. It really just depends.

  9. #9
    Join Date
    Oct 2010
    Beans
    5
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables to allow HTTPS connections only

    Alright, thanks!

    - rethab

  10. #10
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,519
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: iptables to allow HTTPS connections only

    If you could identify the sites you want to permit, you could use iptables to limit access only to those addresses:

    Code:
    iptables -A OUTPUT -d 10.10.10.10 -p tcp --dport 80  -j ACCEPT
    iptables -A OUTPUT -d 10.10.10.10 -p tcp --dport 443 -j ACCEPT
    [etc.]
    iptables -A OUTPUT -p tcp --dport 80  -j REJECT
    iptables -A OUTPUT -p tcp --dport 443 -j REJECT

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •