Linux – How to configure firewalld to block all outgoing traffic except for specific ports while allowing localhost to access any of its own local ports

centosfirewalldiptableslinuxlocalhost

I'll confess at the start that I'm asking this question only after finding the answer and wanting to share it with everyone else. If this is bad form, then my sincere apologies and I'm open to the suggestions on the right way to share this hard-won information. If this is a repeat, please do close it and point visitors to the original question.

So, how can I configure firewalld (in my case, using CentOS 7.6) to block all outgoing traffic except for specific ports while also allowing localhost to access any of its own local ports?

I started out with this:

# First, allow outbound traffic for all allowed inbound traffic 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT 

# Allow outbound HTTP, HTTPS, DNS
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p icmp -m icmp --icmp-type=ping -j ACCEPT 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT 

# Block all other outbound traffic 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -j DROP

And this all worked fine for locking down a server from getting to anything but websites and DNS.

But any local services trying to get to other local services via localhost network communication were blocked. Worse still, even with firewalld configured to log dropped packets, outbound drops were not being logged.

Best Answer

  • The answer, I found by some trial and error, because searching for this exact (possibly odd) scenario on Google or elsewhere was fruitless:

    # Allow all outbound traffic from localhost to localhost
    firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -j ACCEPT
    

    This allows local services to communicate with any other local services (even if the IP assigned to the target services are something other than 127.0.0.1).