View Full Version : [ubuntu] Disable Internet access to a user & enable remote access to the machine for the user
santhoshsd
October 11th, 2008, 10:03 AM
Hello,
I have a system in which I have installed NXServer.
I want the a user to access the system remotely, but the user should not be able to access/browse in the system.
I tried with
httpd: user@localhost.com in /etc/hosts.deny
and
sshd: user@localhost.com in /etc/hosts.allow
but it did not work.
Then I tried with
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m owner –uid-owner tuser01 -j DROP
which disables the internet for the user but disables the remote login ?
cdenley
October 13th, 2008, 09:08 AM
sudo iptables -A OUTPUT -p tcp -m owner –uid-owner tuser01 -j DROP
This seems to work for me for ssh. Are you able to get a shell? Did you try removing the denyhosts configuration you made? Does it work if you remove the iptables rules?
kevdog
October 13th, 2008, 09:19 AM
Sounds like you want to set the user up with limited access -- like jailing the user to a specific set of directories.
santhoshsd
October 13th, 2008, 09:20 AM
Hello,
I removed the hosts.deny and hosts.allow configuration.
and then flushed iptables
sudo iptables -F
ssh is working now
now I executed the command
sudo iptables -A OUTPUT -p tcp -m owner –uid-owner tuser01 -j DROP
this stops all tcp traffic for me
and turns ssh also down.
cdenley
October 13th, 2008, 09:47 AM
Hello,
I removed the hosts.deny and hosts.allow configuration.
and then flushed iptables
sudo iptables -F
ssh is working now
now I executed the command
sudo iptables -A OUTPUT -p tcp -m owner –uid-owner tuser01 -j DROP
this stops all tcp traffic for me
and turns ssh also down.
I'm not sure why it works for me but not you, but you could try
sudo iptables -I OUTPUT -m state --state ESTABLISHED -j ACCEPT
I suspected that the ssh process would run as the user connecting, then the outgoing traffic from the ssh connection would be dropped, but when I tested it, this wasn't the case for me (even though the process is owned by the connecting user).
kevdog
October 13th, 2008, 09:49 AM
The reason that your statement is blocking you is that any packet originating from ownerUID tuser01 is going to be blocked -- that is all ports.
You unfortunately can not block by application since application is not contained in the tcp/ip stack. You could however fine tune your blocking parameter however to block specific ports and allow others. For example if you added above your previous statement something like
sudo iptables -A OUTPUT -p tcp --dport 22 -m owner –uid-owner tuser01 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m owner –uid-owner tuser01 -j DROP
Or you could just do
sudo iptables -A OUTPUT -p tcp --dport !22 -m owner –uid-owner tuser01 -j DROP
which would drop all packet except those destined for remote port 22.
Am I way off base?
kevdog
October 13th, 2008, 09:51 AM
I always applied state tracking rules like this:
sudo iptables -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
vBulletin® v3.8.4, Copyright ©2000-2012, Jelsoft Enterprises Ltd.