Block Outgoing Network Access For a Single User Using Iptables

by on April 4, 2006 · 9 comments· LAST UPDATED February 7, 2010

in

Iptables has a special module called owner (ipt_owner), which is attempts to match various characteristics of the packet creator, for locally generated packets. It is valid in the OUTPUT and POSTROUTING chains.

This is quite useful if you like to block a user within your Linux server to have network access then you can use owner module to match user and block all outgoing traffic for that user. For example, user oracle can connect to oracle database server (using ssh) but not allowed to all outgoing traffic. On other hand user, admin should allow to connect outside network to download updates from RHN or Oracle site. This is nifty module and I use extensively to restrict outgoing access to certain users.

Syntax:

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j DROP

OR

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT

OR

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT

OR

iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j ACCEPT

Where,

  • --uid-owner { USERNAME } : Matches if the packet was created by a process with the given effective USERNAME.
  • -A : Append rule to given table/chain
  • -I : Insert rule to head of table/chain

For example, my oracle user id is 1000 so I will append following rule:

/sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 -j DROP
service iptables save

Example: Block Apache User Making Outgoing Connections

Use the following iptables based configuration to block all outgoing connections made by Apache user. This blocks hackers downloading code into your server using wget or any other tools:

iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# create a new chain
iptables --new-chain chk_apache_user
 
# use new chain to process packets generated by apache
iptables -A OUTPUT -m owner --uid-owner apache -j chk_apache_user
 
# Allow 143 (IMAP) and 25 so that webmail works :)
iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN
iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 25  -j RETURN
 
# reject everything else and stop hackers downloading code into our server
iptables -A chk_apache_user -j REJECT
 

Add/modify above code to your existing firewall script. This module also support following options:

  • --gid-owner {groupid}: Matches if the packet was created by a process with the given effective group id.
  • --pid-owner {processed}: Matches if the packet was created by a process with the given process id.
  • --sid-owner {sessionid}: Matches if the packet was created by a process in the given session group.
  • --cmd-owner {name} : Matches if the packet was created by a process with the given command name.

Please note that that some packets (such as ICMP ping responses) may have no owner (or suid based program), and hence never match. Also for some options, you may need to recompile kernel. On Red Hat Enterprise Linux and Debian default kernel has support for owner module.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!
1 jason April 4, 2006 at 10:16 pm

Ya very nice and useful. Just a quick note, if you are using RHEL firewall (GNOME Lokkit or system-config-securitylevel command), type following command shell promot:
# iptables -I OUTPUT -o ethX -m owner –uid-owner oracle -j REJECT
And save firwall:
# /etc/init.d/iptables save

Cheers,

Jason.

2 Ohmster January 1, 2008 at 11:00 pm

This is a neat idea, but I use my Linux box as a router and would like to know how to deny and enable internet access for a single user on my network, the Linux box enables access by ip4v forwarding. I want to deny a particular LAN computer such as 192.168.0.2 and then be able to restore it again. Can you show us how to do that please? I really need this one and iptables is very complicated to try and figure out. Thanks.

3 Raj January 2, 2008 at 8:42 am

Ohmster,

Use iptables drop target to drop unwanted IP/ You can also use GUI firewall tool such as Firestarter Linux Firewall or Webbased tool such as webmin.

4 MT May 31, 2008 at 2:09 pm

Instead of blocking the IP you can block the mac address of that user’s machine. Else if you allow a range, he might keep trying to change IPs to get access.

iptables -A INPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j DROP

Note in windows, you will see mac address as

Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx

you will have to use : instead of – , while dropping mac address using iptables

You can use ipscan, to find the mac from any windows machine http://www.hide-windows.com/Download/ipscan.exe for your entire lan, just scan the network.

In linux, you might use ethereal and tcpdump to gather the mac address of any other IP, not sure.

5 MT May 31, 2008 at 2:38 pm

correction:

its

iptables -A INPUT -m mac –-mac-source xx:xx:xx:xx:xx:xx -j DROP

6 sathyashankar December 30, 2008 at 12:04 pm

How do I unblock outgoing network access to a user later point in time?
is there a command that would remove the earlier added rule?

7 nixCraft December 30, 2008 at 12:27 pm

Use following syntax to delete rule:

iptables  --delete chain rule-specification

8 David Baron October 28, 2009 at 8:45 pm

Just what the doctor ordered, but
~$ sudo iptables -A OUTPUT -o eth0 -m owner –uid-owner esti -j DROP
iptables: No chain/target/match by that name.

But there is:
sudo iptables -S | grep OUTPUT
-P OUTPUT DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 12 -j ACCEPT
-A OUTPUT -j s1

I would probably want the -I option but it needs to recognize the chain!

Once it is accepted by iptables, where do I do it: rc.local? ifup (where guarddog configures its iptables rules)?

9 Alex February 28, 2010 at 9:37 pm

David Baron, check your kernel
Networking support ->
Networking options ->
Network packet filtering framework (Netfilter) ->
Core Netfilter Configuration ->
“owner” match support

Comments on this FAQ are closed. If you'd like to continue the discussion on this topic, you can do so at our forum.

Tagged as: , , , , , , , , , , , , , , ,

Previous post:

Next post: