[SOLVED] iptables Block OUTPUT ftp

[Bryan.Bailey]

Hello,

I want to block any outbound ftp access from my internal network to the Internet. I can block port 20 and 21 but if someone picks a random port to ftp data to, I want iptables to sense that it's ftp and block it, no matter the port.

From my Googling, most people are wanting to block incoming ftp connections. I am not worried about that as I drop everything and just allow needed services.

Thanks,
Bryan

[Bryan.Bailey]

Anyone have any ideas?

The scenario: someone takes control of a box inside my LAN and is sending out ftp data on a non-standard ftp port. I want iptables to block ALL outbound ftp traffic because I will never use it.

[gerald_clark]

If they take control of your box, they can do whatever they want.

[Bryan.Bailey]

Let me try to be a bit clearer.

Cracker A takes control of a Windows box on the LAN. They decide to ftp data, for whatever reason, to their home server. I have a Linux firewall running iptables that needs to be configured to block ANY and ALL ftp traffic as I have no business use for ftp. The Linux box has not been compromise and the cracker does not know how to break into the Linux box.

Remember, this is just one layer of security and I fully understand it does not protect me from the evils of the world. But, I feel it's a decent layer to add.

[Bryan.Bailey]

Anyone?

[Super Jamie]

What you're looking for is called a "deep packet inspecting firewall", also referred to as an "application level firewall" or "layer 7 firewall".

As the name suggests, this is a device or software which can ignore lower layers of network communication like IP addresses (Layer 3) and TCP/UDP ports (Layer 4) and focus on the actual data which the application is sending back and forth (Layer 7).

If you've not heard of layers of network communication, read up on the OSI model.

The idea being that applications are built around standard protocols. You can inspect the traffic an application sends and match it against a list of known protocols.

To follow your specific example, FTP works on a list of known commands. If you had something inspecting every piece of traffic on your network for these FTP control commands, you could identify FTP sessions on any TCP port and do whatever you liked with those sessions.

Layer 7 inspection is computationally very expensive, because you have to inspect ALL traffic against a list of ALL known protocols. Often a firewall like this is supplied as an expensive specialised rackmount device which costs a lot of money.

To my knowledge, CentOS doesn't come with anything like this by default. A Google search for "layer 7 firewall centos" shows many old pages which show how to setup l7-filter on CentOS.

Your other option is to manually write a u32 match rule for iptables which manually picks out a few common FTP commands like USER/PASS/CWD/PWD/PASV/TYPE/LIST and jump them to the DROP chain. That's more or less what a Layer 7 firewall does, except iptables u32 extension is probably pretty inefficient at it.

[Bryan.Bailey]

Thanks, Super Jaime. Your explanation clearly answers my question.