Block outgoing network access for a single user from my server using iptables
Iptables has a special module called owner, which is attempts to match various characteristics of the packet creator, for locally generated packets. It is valid in the INPUT, OUTPUT and POSTROUTING chains, however in the INPUT chain only TCP and UDP packets can be matched.
This is quite useful if you like to block a user within your Linux server to have network access then you can use owner module to match user and block all outgoing traffic for that user. For example, user oracle can connect to oracle database server (using ssh) but not allowed to all outgoing traffic. On other hand user, admin should allow to connect outside network to download updates from RHN or Oracle site. This is nifty module and I use extensively to restrict outgoing access to certain users.
Syntax:
iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j DROP
OR
iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT
OR
iptables -I OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT
Where,
- --uid-owner { USERNAME } : Matches if the packet was created by a process with the given effective USERNAME.
- -A : Append rule to given table/chain
- -I : Insert rule to head of table/chain
For example, my oracle user id is 1000 so I will append following rule to my iptables script:
iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 -j DROP
This module also support following options:
- --gid-owner {groupid}: Matches if the packet was created by a process with the given effective group id.
- --pid-owner {processed}: Matches if the packet was created by a process with the given process id.
- --sid-owner {sessionid}: Matches if the packet was created by a process in the given session group.
- --cmd-owner {name} : Matches if the packet was created by a process with the given command name.
Please note that that some packets (such as ICMP ping responses) may have no owner (or suid based program), and hence never match. Also for some options, you may need to recompile kernel. On Red Hat Enterprise Linux and Debian default kernel has support for owner module.
E-mail this to a Friend
Printable Version
You may also be interested in other helpful articles:
- Linux Iptables block outgoing access to selected or specific ip address
- Linux Iptables block all network traffic
- How do I Drop or block attackers IP with null routes?
- Linux : Iptables # 4 Block all incoming traffic but allow ssh
- Linux Iptables block remote X Window server connection
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Ya very nice and useful. Just a quick note, if you are using RHEL firewall (GNOME Lokkit or system-config-securitylevel command), type following command shell promot:
# iptables -I OUTPUT -o ethX -m owner –uid-owner oracle -j REJECT
And save firwall:
# /etc/init.d/iptables save
Cheers,
Jason.
This is a neat idea, but I use my Linux box as a router and would like to know how to deny and enable internet access for a single user on my network, the Linux box enables access by ip4v forwarding. I want to deny a particular LAN computer such as 192.168.0.2 and then be able to restore it again. Can you show us how to do that please? I really need this one and iptables is very complicated to try and figure out. Thanks.
Ohmster,
Use iptables drop target to drop unwanted IP/ You can also use GUI firewall tool such as Firestarter Linux Firewall or Webbased tool such as webmin.
Instead of blocking the IP you can block the mac address of that user’s machine. Else if you allow a range, he might keep trying to change IPs to get access.
iptables -A INPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j DROP
Note in windows, you will see mac address as
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
you will have to use : instead of - , while dropping mac address using iptables
You can use ipscan, to find the mac from any windows machine http://www.hide-windows.com/Download/ipscan.exe for your entire lan, just scan the network.
In linux, you might use ethereal and tcpdump to gather the mac address of any other IP, not sure.
correction:
its
iptables -A INPUT -m mac –-mac-source xx:xx:xx:xx:xx:xx -j DROP