0
rated 0 times
[
0]
[
0]
/ answers: 1 / hits: 1686
/ 3 Years ago, wed, october 20, 2021, 4:14:58
I am an iptables novice, and I want to block network access for all users except "user" and root. I set up iptables as follows:
$ sudo iptables -L OUTPUT
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match user
ACCEPT all -- anywhere anywhere owner UID match root
ACCEPT all -- anywhere anywhere owner socket exists
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
I then logged in as "other" and did the following (using one of Google's IP addresses):
$ whoami
other
$ wget http://172.217.19.36
--2020-06-25 18:43:16-- http://172.217.19.36/
Connecting to 172.217.19.36:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2020-06-25 18:43:16-- http://www.google.com/
Resolving www.google.com (www.google.com)... failed: Name or service not known.
wget: unable to resolve host address 'www.google.com'
In other words, iptables let a user who is not "user" or root access Google using wget.
What am I doing wrong?
More From » networking