Comments on: Block Outgoing Network Access For a Single User Using Iptables http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html This is a Linux sys admin journal by Vivek about sys admin work, Linux tips & tricks, hacks, news and more. Fri, 10 Feb 2012 20:37:43 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Alexhttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-154001 Alex Sun, 28 Feb 2010 21:37:31 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-154001 David Baron, check your kernel Networking support -> Networking options -> Network packet filtering framework (Netfilter) -> Core Netfilter Configuration -> "owner" match support David Baron, check your kernel
Networking support ->
Networking options ->
Network packet filtering framework (Netfilter) ->
Core Netfilter Configuration ->
“owner” match support

]]> By: David Baronhttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-151313 David Baron Wed, 28 Oct 2009 20:45:05 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-151313 Just what the doctor ordered, but ~$ sudo iptables -A OUTPUT -o eth0 -m owner --uid-owner esti -j DROP iptables: No chain/target/match by that name. But there is: sudo iptables -S | grep OUTPUT -P OUTPUT DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A OUTPUT -j s1 I would probably want the -I option but it needs to recognize the chain! Once it is accepted by iptables, where do I do it: rc.local? ifup (where guarddog configures its iptables rules)? Just what the doctor ordered, but
~$ sudo iptables -A OUTPUT -o eth0 -m owner –uid-owner esti -j DROP
iptables: No chain/target/match by that name.

But there is:
sudo iptables -S | grep OUTPUT
-P OUTPUT DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 12 -j ACCEPT
-A OUTPUT -j s1

I would probably want the -I option but it needs to recognize the chain!

Once it is accepted by iptables, where do I do it: rc.local? ifup (where guarddog configures its iptables rules)?

]]> By: Vivek Gitehttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-146494 Vivek Gite Tue, 30 Dec 2008 12:27:05 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-146494 Use following syntax to delete rule: <pre>iptables --delete chain rule-specification</pre> Use following syntax to delete rule:

iptables  --delete chain rule-specification
]]> By: sathyashankarhttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-146493 sathyashankar Tue, 30 Dec 2008 12:04:41 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-146493 How do I unblock outgoing network access to a user later point in time? is there a command that would remove the earlier added rule? How do I unblock outgoing network access to a user later point in time?
is there a command that would remove the earlier added rule?

]]> By: MThttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-143934 MT Sat, 31 May 2008 14:38:59 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-143934 correction: its iptables -A INPUT -m mac –-mac-source xx:xx:xx:xx:xx:xx -j DROP correction:

its

iptables -A INPUT -m mac –-mac-source xx:xx:xx:xx:xx:xx -j DROP

]]> By: MThttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-143933 MT Sat, 31 May 2008 14:09:12 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-143933 Instead of blocking the IP you can block the mac address of that user's machine. Else if you allow a range, he might keep trying to change IPs to get access. iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j DROP Note in windows, you will see mac address as Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx you will have to use : instead of - , while dropping mac address using iptables You can use ipscan, to find the mac from any windows machine http://www.hide-windows.com/Download/ipscan.exe for your entire lan, just scan the network. In linux, you might use ethereal and tcpdump to gather the mac address of any other IP, not sure. Instead of blocking the IP you can block the mac address of that user’s machine. Else if you allow a range, he might keep trying to change IPs to get access.

iptables -A INPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j DROP

Note in windows, you will see mac address as

Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx

you will have to use : instead of – , while dropping mac address using iptables

You can use ipscan, to find the mac from any windows machine http://www.hide-windows.com/Download/ipscan.exe for your entire lan, just scan the network.

In linux, you might use ethereal and tcpdump to gather the mac address of any other IP, not sure.

]]> By: Rajhttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-142331 Raj Wed, 02 Jan 2008 08:42:24 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-142331 Ohmster, Use iptables drop target to drop unwanted IP/ You can also use GUI firewall tool such as Firestarter Linux Firewall or Webbased tool such as webmin. Ohmster,

Use iptables drop target to drop unwanted IP/ You can also use GUI firewall tool such as Firestarter Linux Firewall or Webbased tool such as webmin.

]]> By: Ohmsterhttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-142324 Ohmster Tue, 01 Jan 2008 23:00:20 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-142324 This is a neat idea, but I use my Linux box as a router and would like to know how to deny and enable internet access for a single user on my network, the Linux box enables access by ip4v forwarding. I want to deny a particular LAN computer such as 192.168.0.2 and then be able to restore it again. Can you show us how to do that please? I really need this one and iptables is very complicated to try and figure out. Thanks. This is a neat idea, but I use my Linux box as a router and would like to know how to deny and enable internet access for a single user on my network, the Linux box enables access by ip4v forwarding. I want to deny a particular LAN computer such as 192.168.0.2 and then be able to restore it again. Can you show us how to do that please? I really need this one and iptables is very complicated to try and figure out. Thanks.

]]> By: jasonhttp://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-19525 jason Tue, 04 Apr 2006 22:16:00 +0000 http://www.cyberciti.biz/tips/block-outgoing-network-access-for-a-single-user-from-my-server-using-iptables.html#comment-19525 Ya very nice and useful. Just a quick note, if you are using RHEL firewall (GNOME Lokkit or system-config-securitylevel command), type following command shell promot: <B># iptables -I OUTPUT -o ethX -m owner --uid-owner oracle -j REJECT</B> And save firwall: <B># /etc/init.d/iptables save</B> Cheers, Jason. Ya very nice and useful. Just a quick note, if you are using RHEL firewall (GNOME Lokkit or system-config-securitylevel command), type following command shell promot:
# iptables -I OUTPUT -o ethX -m owner –uid-owner oracle -j REJECT
And save firwall:
# /etc/init.d/iptables save

Cheers,

Jason.

]]>