≡ Menu

Block Outgoing Network Access For a Single User Using Iptables

Iptables has a special module called owner (ipt_owner), which is attempts to match various characteristics of the packet creator, for locally generated packets. It is valid in the OUTPUT and POSTROUTING chains.

This is quite useful if you like to block a user within your Linux server to have network access then you can use owner module to match user and block all outgoing traffic for that user. For example, user oracle can connect to oracle database server (using ssh) but not allowed to all outgoing traffic. On other hand user, admin should allow to connect outside network to download updates from RHN or Oracle site. This is nifty module and I use extensively to restrict outgoing access to certain users.

Syntax:

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j DROP

OR

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT

OR

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT

OR

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j ACCEPT

Where,

  • --uid-owner { USERNAME } : Matches if the packet was created by a process with the given effective USERNAME.
  • -A : Append rule to given table/chain
  • -I : Insert rule to head of table/chain

For example, my oracle user id is 1000 so I will append following rule:

/sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 -j DROP
service iptables save

Example: Block Apache User Making Outgoing Connections

Use the following iptables based configuration to block all outgoing connections made by Apache user. This blocks hackers downloading code into your server using wget or any other tools:

iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# create a new chain
iptables --new-chain chk_apache_user
 
# use new chain to process packets generated by apache
iptables -A OUTPUT -m owner --uid-owner apache -j chk_apache_user
 
# Allow 143 (IMAP) and 25 so that webmail works :)
iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN
iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 25  -j RETURN
 
# reject everything else and stop hackers downloading code into our server
iptables -A chk_apache_user -j REJECT
 

Add/modify above code to your existing firewall script. This module also support following options:

  • --gid-owner {groupid}: Matches if the packet was created by a process with the given effective group id.
  • --pid-owner {processed}: Matches if the packet was created by a process with the given process id.
  • --sid-owner {sessionid}: Matches if the packet was created by a process in the given session group.
  • --cmd-owner {name} : Matches if the packet was created by a process with the given command name.

Please note that that some packets (such as ICMP ping responses) may have no owner (or suid based program), and hence never match. Also for some options, you may need to recompile kernel. On Red Hat Enterprise Linux and Debian default kernel has support for owner module.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • jason April 4, 2006, 10:16 pm

    Ya very nice and useful. Just a quick note, if you are using RHEL firewall (GNOME Lokkit or system-config-securitylevel command), type following command shell promot:
    # iptables -I OUTPUT -o ethX -m owner –uid-owner oracle -j REJECT
    And save firwall:
    # /etc/init.d/iptables save

    Cheers,

    Jason.

  • Ohmster January 1, 2008, 11:00 pm

    This is a neat idea, but I use my Linux box as a router and would like to know how to deny and enable internet access for a single user on my network, the Linux box enables access by ip4v forwarding. I want to deny a particular LAN computer such as 192.168.0.2 and then be able to restore it again. Can you show us how to do that please? I really need this one and iptables is very complicated to try and figure out. Thanks.

  • Raj January 2, 2008, 8:42 am

    Ohmster,

    Use iptables drop target to drop unwanted IP/ You can also use GUI firewall tool such as Firestarter Linux Firewall or Webbased tool such as webmin.

  • MT May 31, 2008, 2:09 pm

    Instead of blocking the IP you can block the mac address of that user’s machine. Else if you allow a range, he might keep trying to change IPs to get access.

    iptables -A INPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j DROP

    Note in windows, you will see mac address as

    Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx

    you will have to use : instead of – , while dropping mac address using iptables

    You can use ipscan, to find the mac from any windows machine http://www.hide-windows.com/Download/ipscan.exe for your entire lan, just scan the network.

    In linux, you might use ethereal and tcpdump to gather the mac address of any other IP, not sure.

  • MT May 31, 2008, 2:38 pm

    correction:

    its

    iptables -A INPUT -m mac –-mac-source xx:xx:xx:xx:xx:xx -j DROP

  • sathyashankar December 30, 2008, 12:04 pm

    How do I unblock outgoing network access to a user later point in time?
    is there a command that would remove the earlier added rule?

  • nixCraft December 30, 2008, 12:27 pm

    Use following syntax to delete rule:

    iptables  --delete chain rule-specification
  • David Baron October 28, 2009, 8:45 pm

    Just what the doctor ordered, but
    ~$ sudo iptables -A OUTPUT -o eth0 -m owner –uid-owner esti -j DROP
    iptables: No chain/target/match by that name.

    But there is:
    sudo iptables -S | grep OUTPUT
    -P OUTPUT DROP
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
    -A OUTPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
    -A OUTPUT -p icmp -m icmp –icmp-type 12 -j ACCEPT
    -A OUTPUT -j s1

    I would probably want the -I option but it needs to recognize the chain!

    Once it is accepted by iptables, where do I do it: rc.local? ifup (where guarddog configures its iptables rules)?

  • Alex February 28, 2010, 9:37 pm

    David Baron, check your kernel
    Networking support ->
    Networking options ->
    Network packet filtering framework (Netfilter) ->
    Core Netfilter Configuration ->
    “owner” match support

  • Anthony October 1, 2014, 7:50 pm

    Hi,

    Great Write up. Is there a way to do the reverse of this?

    I would like to filter incoming traffic by user UID instead of filtering via IP and then make sure its applied only to eth0 and port 22.

  • markpat November 9, 2014, 5:22 pm

    Any way to enable –pid-owner or –cmd-owner on centos 6.6? Only have –uid-owner and –gid-owner enabled, but i need to filter by pid.