API tools faq
paste
Advertisement
Tritonio

Block Outgoing Network Access For a Single User Using Iptables

Tritonio
Mar 17th, 2021
160
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.98 KB | None | 0 0
raw download clone embed print report
  1. ptables has a special module called owner (ipt_owner), which is attempts to match various characteristics of the packet creator, for locally generated packets. It is valid in the OUTPUT and POSTROUTING chains.
  2.  
  3. This is quite useful if you like to block a user within your Linux server to have network access then you can use owner module to match user and block all outgoing traffic for that user. For example, user oracle can connect to oracle database server (using ssh) but not allowed to all outgoing traffic. On other hand user, admin should allow to connect outside network to download updates from RHN or Oracle site. This is nifty module and I use extensively to restrict outgoing access to certain users.
  4. Syntax:
  5.  
  6. iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j DROP
  7.  
  8. OR
  9.  
  10. iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT
  11.  
  12. OR
  13.  
  14. iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT
  15.  
  16. OR
  17.  
  18. iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j ACCEPT
  19.  
  20. Where,
  21.  
  22. --uid-owner { USERNAME } : Matches if the packet was created by a process with the given effective USERNAME.
  23. -A : Append rule to given table/chain
  24. -I : Insert rule to head of table/chain
  25.  
  26. For example, my oracle user id is 1000 so I will append following rule:
  27.  
  28. /sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 -j DROP
  29. service iptables save
  30.  
  31. Example: Block Apache User Making Outgoing Connections
  32.  
  33. Use the following iptables based configuration to block all outgoing connections made by Apache user. This blocks hackers downloading code into your server using wget or any other tools:
  34.  
  35. iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  36.  
  37. # create a new chain
  38. iptables --new-chain chk_apache_user
  39.  
  40. # use new chain to process packets generated by apache
  41. iptables -A OUTPUT -m owner --uid-owner apache -j chk_apache_user
  42.  
  43. # Allow 143 (IMAP) and 25 so that webmail works :)
  44. iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN
  45. iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 25 -j RETURN
  46.  
  47. # reject everything else and stop hackers downloading code into our server
  48. iptables -A chk_apache_user -j REJECT
  49.  
  50.  
  51. Add/modify above code to your existing firewall script. This module also support following options:
  52.  
  53. --gid-owner {groupid}: Matches if the packet was created by a process with the given effective group id.
  54. --pid-owner {processed}: Matches if the packet was created by a process with the given process id.
  55. --sid-owner {sessionid}: Matches if the packet was created by a process in the given session group.
  56. --cmd-owner {name} : Matches if the packet was created by a process with the given command name.
  57.  
  58. Please note that that some packets (such as ICMP ping responses) may have no owner (or suid based program), and hence never match. Also for some options, you may need to recompile kernel. On Red Hat Enterprise Linux and Debian default kernel has support for owner module.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!