How to write output control for Linux Firewall

Question

I'm posting from Japan. I'm not very good at English, so I'm sorry if I'm asking rude questions.

I'm using AWS EC2 to build a server.

I am familiar with using AWS SecurityGroup and NACL.

This time I also need to configure the Firewall for the Linux OS on my EC2 at the same time.

I am using SSM to connect to the EC2 instance.

I want to control the OUTPUT of the Linux OS Firewall. It looks like this. Example)

Rule 1 *. *. *. */* to port ** is allowed
Rule 2 *. *. *. */* to port ** is allowed
Except for rules 1 and 2, all outputs are rejected.

The command [firewall-cmd --direct add-rule ipv4 filter OUTPUT ] is used.

I don't know about allowing return packets or the number of OUTPUTs either. Does anyone please help me?

I appreciate your help, Thank you.

Answer 1

There are multiple ways of doing this in Linux:

• I'm not familiar with firewalld, but according to this, it is done like this:

  # Enable and start the service:
  sudo systemctl enable --now firewalld
  firewall-cmd --permanent ---zone=public --add-port=80/tcp
  firewall-cmd --permanent ---zone=public --add-port=22/tcp
  ...
  # Reload the firewall:
  firewall-cmd --reload
  

• You can also use Linux's integrated firewall, iptables, to achieve this:

  # Delete all previous rules and create a new chain:
  iptables -F
  iptables -N FIREWALL
  # Direct the INPUT and OUTPUT chains to FIREWALL:
  iptables -A OUTPUT -j FIREWALL
  iptables -A INPUT -j FIREWALL
  # Allow the DNS service:
  iptables -A FIREWALL -p udp --dport 53 -j ACCEPT
  iptables -A FIREWALL -p udp --sport 53 -j ACCEPT
  iptables -A FIREWALL -p tcp --dport 53 -j ACCEPT
  iptables -A FIREWALL -p tcp --sport 53 -j ACCEPT
  ...
  # Drop everything else:
  iptables -P INPUT DROP
  iptables -P OUTPUT DROP
  

  What this is doing, is accepting every connection for DNS and droping everything else, you can do this for every service you want to allow, keep in mind you have to do this for every port and protocol a service uses.

  Keep in mind that iptables's rules aren't permanent, so you'd need to store this in a script that runs on startup.

• Instead of doing any of the above, you can use ufw, which is easier:

  sudo ufw default deny incoming
  sudo ufw allow ssh
  ...
  sudo ufw reload
  

  You just need to allow every service, no need to list ports and protocols, if you need to specify a port, you can do it!