Results 1 to 10 of 10

Thread: iptables to allow HTTPS connections only

  1. July 16th, 2011 #1
    rethab
    rethab is offline First Cup of Ubuntu
    Join Date
    Oct 2010
    Beans
    5
    Distro
    Ubuntu 11.04 Natty Narwhal

    iptables to allow HTTPS connections only

    Hi

    I have tried to configure my iptables to allow only HTTPS connections to the internet. Unfortunately, I didn't get that to work. I configured it like this:
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
    iptables -A OUTPUT -t filter -p udp --dport https -j ACCEPT
    It does work, on the other hand, if I allow HTTP. But that's not really what I want..
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport http -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -t filter -p tcp --dport https -j ACCEPT
    iptables -A OUTPUT -t filter -p udp --dport https -j ACCEPT
    Of course I am only trying to access websites via HTTPS Still, I was wondering if HTTPS somehow under the hood requires the HTTP port to be open or if my rules are in some other way wrong.

    I'd appreciate it, if somebody could give me a hint.

    - rethab

    ps: I got the rules from that website: http://www.linuxquestions.org/questi...owsing-443990/
    Advanced reply Adv Reply  
  2. July 16th, 2011 #2
    CharlesA's Avatar
    CharlesA
    CharlesA is offline What are you planning?
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: iptables to allow HTTPS connections only

    Keep in mind that not every site supports https.

    Might want to check out this browser plugin, since it would be easier to manage.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...
    Advanced reply Adv Reply  
  3. July 16th, 2011 #3
    rethab
    rethab is offline First Cup of Ubuntu
    Join Date
    Oct 2010
    Beans
    5
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables to allow HTTPS connections only

    That is true and I knew that, but the thing is: I want users of that computer to only access websites that do support HTTPS.

    My question went more into 'should it generally be possible to allow only HTTPS connections via iptables'.

    Thanks anyway.

    edit: That computer is supposed to be used for online banking, which does support HTTPS. I want users to only use HTTPS. I think that cuts down many potential vulnerabilities (user caused). That is necessary in my opinion, since I can protect a computer only to a certain level from a technical point of view.

    - rethab
    Last edited by rethab; July 16th, 2011 at 12:06 PM.
    Advanced reply Adv Reply  
  4. July 16th, 2011 #4
    The Cog's Avatar
    The Cog
    The Cog is offline Woof
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,700

    Re: iptables to allow HTTPS connections only

    My guess is that the sites you are trying to connect to have some parts that also require http. For instance, the login might be https, but that page might include scripts, images etc. that are referenced as http rather than https. Probably the easiest way to see is to opemn the firewall and visit the secure site in question which running "watch netstat -t" in a console window. If http connections open to the site as well, then it clearly needs http as well as https.
    Advanced reply Adv Reply  
  5. July 16th, 2011 #5
    bodhi.zazen's Avatar
    bodhi.zazen
    bodhi.zazen is offline Walking moon
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: iptables to allow HTTPS connections only

    Quote Originally Posted by The Cog View Post
    My guess is that the sites you are trying to connect to have some parts that also require http.
    That would be my guess as well. The default port for web servers is 80 and for example, outside of login or other sensitive information, many sites, including mine are going to be using port 80.
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface
    Advanced reply Adv Reply  
  6. July 16th, 2011 #6
    CharlesA's Avatar
    CharlesA
    CharlesA is offline What are you planning?
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: iptables to allow HTTPS connections only

    Quote Originally Posted by bodhi.zazen View Post
    That would be my guess as well. The default port for web servers is 80 and for example, outside of login or other sensitive information, many sites, including mine are going to be using port 80.
    Same with mine - it uses both http and https.

    It might be easier to just set up a proxy to block everything except this bank site.

    Take a look at this page.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...
    Advanced reply Adv Reply  
  7. July 16th, 2011 #7
    rethab
    rethab is offline First Cup of Ubuntu
    Join Date
    Oct 2010
    Beans
    5
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables to allow HTTPS connections only

    Okay, thank you all.

    Still, I thought if that page in question was using HTTPS for its main part and scripts and such via HTTP, wouldn't then the page be displayed but only without the scripts, images, etc? Because I'm getting a 'chrome cant find that page'..

    And thank you also for the other hints to solve that problem.
    Advanced reply Adv Reply  
  8. July 16th, 2011 #8
    Dangertux
    Dangertux is offline Ubuntu Cappuccino Scuro
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,769
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: iptables to allow HTTPS connections only

    It depends on how the site is created. If the initial portal is entirely run on port 80 and you or your input is redirected to a secure server then no. The site would not neccessarily work. It really just depends.
    Advanced reply Adv Reply  
  9. July 16th, 2011 #9
    rethab
    rethab is offline First Cup of Ubuntu
    Join Date
    Oct 2010
    Beans
    5
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables to allow HTTPS connections only

    Alright, thanks!

    - rethab
    Advanced reply Adv Reply  
  10. July 17th, 2011 #10
    SeijiSensei's Avatar
    SeijiSensei
    SeijiSensei is offline Ubuntu addict and loving it
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: iptables to allow HTTPS connections only

    If you could identify the sites you want to permit, you could use iptables to limit access only to those addresses:

    Code:
    iptables -A OUTPUT -d 10.10.10.10 -p tcp --dport 80  -j ACCEPT
iptables -A OUTPUT -d 10.10.10.10 -p tcp --dport 443 -j ACCEPT
[etc.]
iptables -A OUTPUT -p tcp --dport 80  -j REJECT
iptables -A OUTPUT -p tcp --dport 443 -j REJECT
    Advanced reply Adv Reply  
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Ubuntu Forums Code of Conduct