Iptables has a special module called owner (ipt_owner), which is attempts to match various characteristics of the packet creator, for locally generated packets. It is valid in the OUTPUT and POSTROUTING chains.
This is quite useful if you like to block a user within your Linux server to have network access then you can use owner module to match user and block all outgoing traffic for that user. For example, user oracle can connect to oracle database server (using ssh) but not allowed to all outgoing traffic. On other hand user, admin should allow to connect outside network to download updates from RHN or Oracle site. This is nifty module and I use extensively to restrict outgoing access to certain users.
Syntax:
iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j DROPOR
iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECTOR
iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECTOR
iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j ACCEPTWhere,
- –uid-owner { USERNAME } : Matches if the packet was created by a process with the given effective USERNAME.
- -A : Append rule to given table/chain
- -I : Insert rule to head of table/chain
For example, my oracle user id is 1000 so I will append following rule:
/sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 -j DROP service iptables save
Example: Block Apache User Making Outgoing Connections
Use the following iptables based configuration to block all outgoing connections made by Apache user. This blocks hackers downloading code into your server using wget or any other tools:
iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # create a new chain iptables --new-chain chk_apache_user # use new chain to process packets generated by apache iptables -A OUTPUT -m owner --uid-owner apache -j chk_apache_user # Allow 143 (IMAP) and 25 so that webmail works :) iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 143 -j RETURN iptables -A chk_apache_user -p tcp --syn -d 127.0.0.1 --dport 25 -j RETURN # reject everything else and stop hackers downloading code into our server iptables -A chk_apache_user -j REJECT |
Add/modify above code to your existing firewall script. This module also support following options:
- –gid-owner {groupid}: Matches if the packet was created by a process with the given effective group id.
- –pid-owner {processed}: Matches if the packet was created by a process with the given process id.
- –sid-owner {sessionid}: Matches if the packet was created by a process in the given session group.
- –cmd-owner {name} : Matches if the packet was created by a process with the given command name.
Please note that that some packets (such as ICMP ping responses) may have no owner (or suid based program), and hence never match. Also for some options, you may need to recompile kernel. On Red Hat Enterprise Linux and Debian default kernel has support for owner module.
11 comment
Ya very nice and useful. Just a quick note, if you are using RHEL firewall (GNOME Lokkit or system-config-securitylevel command), type following command shell promot:
# iptables -I OUTPUT -o ethX -m owner –uid-owner oracle -j REJECT
And save firwall:
# /etc/init.d/iptables save
Cheers,
Jason.
This is a neat idea, but I use my Linux box as a router and would like to know how to deny and enable internet access for a single user on my network, the Linux box enables access by ip4v forwarding. I want to deny a particular LAN computer such as 192.168.0.2 and then be able to restore it again. Can you show us how to do that please? I really need this one and iptables is very complicated to try and figure out. Thanks.
Ohmster,
Use iptables drop target to drop unwanted IP/ You can also use GUI firewall tool such as Firestarter Linux Firewall or Webbased tool such as webmin.
Instead of blocking the IP you can block the mac address of that user’s machine. Else if you allow a range, he might keep trying to change IPs to get access.
iptables -A INPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j DROP
Note in windows, you will see mac address as
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
you will have to use : instead of – , while dropping mac address using iptables
You can use ipscan, to find the mac from any windows machine http://www.hide-windows.com/Download/ipscan.exe for your entire lan, just scan the network.
In linux, you might use ethereal and tcpdump to gather the mac address of any other IP, not sure.
correction:
its
iptables -A INPUT -m mac –-mac-source xx:xx:xx:xx:xx:xx -j DROP
How do I unblock outgoing network access to a user later point in time?
is there a command that would remove the earlier added rule?
Use following syntax to delete rule:
Just what the doctor ordered, but
~$ sudo iptables -A OUTPUT -o eth0 -m owner –uid-owner esti -j DROP
iptables: No chain/target/match by that name.
But there is:
sudo iptables -S | grep OUTPUT
-P OUTPUT DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp –icmp-type 12 -j ACCEPT
-A OUTPUT -j s1
I would probably want the -I option but it needs to recognize the chain!
Once it is accepted by iptables, where do I do it: rc.local? ifup (where guarddog configures its iptables rules)?
David Baron, check your kernel
Networking support ->
Networking options ->
Network packet filtering framework (Netfilter) ->
Core Netfilter Configuration ->
“owner” match support
Hi,
Great Write up. Is there a way to do the reverse of this?
I would like to filter incoming traffic by user UID instead of filtering via IP and then make sure its applied only to eth0 and port 22.
Any way to enable –pid-owner or –cmd-owner on centos 6.6? Only have –uid-owner and –gid-owner enabled, but i need to filter by pid.