Question

0

iptables: trying to block network access for all but specified users

rated 0 times [ 0] [ 0] / answers: 1 / hits: 1686 / 3 Years ago, wed, october 20, 2021, 4:14:58

I am an iptables novice, and I want to block network access for all users except "user" and root. I set up iptables as follows:

$ sudo iptables -L OUTPUT

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere             owner UID match user

ACCEPT     all  --  anywhere             anywhere             owner UID match root

ACCEPT     all  --  anywhere             anywhere             owner socket exists

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

I then logged in as "other" and did the following (using one of Google's IP addresses):

$ whoami

other

$ wget http://172.217.19.36

--2020-06-25 18:43:16--  http://172.217.19.36/

Connecting to 172.217.19.36:80... connected.

HTTP request sent, awaiting response... 301 Moved Permanently

Location: http://www.google.com/ [following]

--2020-06-25 18:43:16--  http://www.google.com/

Resolving www.google.com (www.google.com)... failed: Name or service not known.

wget: unable to resolve host address 'www.google.com'

In other words, iptables let a user who is not "user" or root access Google using wget.

What am I doing wrong?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

theurn

Add To Favorites

Follow

Total Points: 30

Total Questions: 110

Total Answers: 111

Location: Bahrain

Member since Fri, Sep 16, 2022

2 Years ago

theurn questions

1 How to change a folder's permissions and owners?

Tue, Apr 5, 22, 14:18, 2 Years ago

1 Cant mount Window's partition on bootable ubuntu 20.04

Mon, Feb 14, 22, 16:29, 2 Years ago

1 select positional argument in xargs

Sat, Apr 8, 23, 05:26, 1 Year ago

1 Refresh rate not working on login screen

Tue, Jan 10, 23, 23:59, 1 Year ago

1 Chromium does not start after update on 20.04

Fri, Apr 8, 22, 01:36, 2 Years ago

View All

answered 3 Years ago restlerfin · Accepted Answer

Based on EchoMike444's helpful advice, I now have the following ruleset:

iptables -A OUTPUT -m owner --uid-owner user -j ACCEPT

iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT

iptables -A OUTPUT -m owner --uid-owner systemd-resolve -j ACCEPT

iptables -A OUTPUT -o lo -p icmp -j ACCEPT

iptables -A OUTPUT -j REJECT

This seems to do the trick: I can still access the outside world, other users can't, but ICMP rejection messages from rule 5 are still allowed to get through thanks to rule 4.