Has an Ubuntu Drip
I want to set up an iptables ruleset for a specific user to restrict outgoing messages.
I think I need...
iptables -A Output --uid-owner USERNAME -j Drop
What else? I want to restrict the outgoing messages to by port and destination IP. Is this possible? Also, will -j Drop deny all? I want it to deny everything *except* what I'm allowing. Should I change Drop to Accept?
Last edited by Hungry Man; June 27th, 2013 at 02:47 AM.
sig
Just Give Me the Beans!
You have to specify the module too. Also chain names and targets are case-sensitive.iptables -A Output --uid-owner USERNAME -j Drop
This will block traffic generated by USERNAME:
Restricting/Allowing traffic based on IP addresses or ports is possible. Check man page of iptables. Look for these options: --source --destination --sport --dport --protocolCode:iptables -A OUTPUT -m owner --uid-owner USERNAME -j DROP
If you want to deny everything from a user except some allowed traffic, add the allow rules first, then the drop-all rule.
For example, to allow HTTP and drop everything else from a user:
Code:iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -m owner --uid-owner USERNAME -j DROP
Has an Ubuntu Drip
Would this work? Trying to do it in a single rule. This way it checks outgoing from uid owner USERNAME, and that it's TCP, and then if it's *not* port 53 it drops it?iptables -A OUTPUT -m owner --uid-owner USERNAME -p tcp ! --dport 53 -j DROP
Using a '!' might make things more extensible in the future, which is why I'm trying to figure out how to do it with that.
Or would it be:
iptables -A OUTPUT -m owner --uid-owner USERNAME -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner USERNAME -p tcp ! --dport 53 -j DROP
Last edited by Hungry Man; June 26th, 2013 at 03:51 PM.
sig
Just Give Me the Beans!
Yes, this will work. But keep in mind that DNS (port 53) generally uses UDP as transport, not TCP.iptables -A OUTPUT -m owner --uid-owner USERNAME -p tcp ! --dport 53 -j DROP
I don't think putting everything in one rule is the more extensible method. For example in future you might want to open some ports for both TCP and UDP. This cannot be achieved in a single rule since you can give only one -p flag.Using a '!' might make things more extensible in the future, which is why I'm trying to figure out how to do it with that.
So the better option is to have a drop rule at the end. And all exceptions go above that as accept rules.
Has an Ubuntu Drip
Grrrr gimme a minute.
I've got no idea. This doesn't seem to be working.
Before I had GUFW set a disable all input rule, but I removed my GUFW rules before doing this. Now if I set GUFW back (after iptables -F) to deny incoming, I can't resolve webpages lol my DNS won't work.
So I've got less working than when I started.
Last edited by Hungry Man; June 26th, 2013 at 04:44 PM.
sig
Just Give Me the Beans!
What rules are you having? Post the output of
Code:iptables -L -nv
Has an Ubuntu Drip
That's the current rules. I removed the ones posted in this topic, because I wasn't sure if they were going to screw things up. I just did iptables -F.Chain INPUT (policy ACCEPT 130K packets, 172M bytes) pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 68004 packets, 8634K bytes)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
I'm assuming when I did iptables -F I removed rules that came preinstalled, that allowed services to work, like dhclient and my DNS.
Last edited by Hungry Man; June 26th, 2013 at 05:53 PM.
sig
Just Give Me the Beans!
There are no rules now. So DNS must be failing because of some other reason.
Has an Ubuntu Drip
I rebooted, used GUFW to filter input, and that's the ruleset now. DNS resolution works, but I still have no rules restricting the user account that I run my dns proxy inChain INPUT (policy DROP)target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
ufw-user-forward all -- anywhere anywhere
Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-logging-deny all -- anywhere anywhere state INVALID
DROP all -- anywhere anywhere state INVALID
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all -- anywhere anywhere
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ufw-user-output all -- anywhere anywhere
Chain ufw-logging-allow (0 references)
target prot opt source destination
Chain ufw-logging-deny (2 references)
target prot opt source destination
Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
DROP all -- anywhere anywhere
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere state NEW
Chain ufw-user-forward (1 references)
target prot opt source destination
Chain ufw-user-input (1 references)
target prot opt source destination
Chain ufw-user-limit (0 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain ufw-user-logging-forward (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-logging-input (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-logging-output (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain ufw-user-output (1 references)
target prot opt source destination
sig
Just Give Me the Beans!
Okay, I am not going through the list of rules generated by GUFW, since I take you want to stop using it and write your own rules?
Perhaps there were rules in some other tables earlier, which was causing issues.
When removing GUFW rules, ensure you remove rules from all tables:
Now add only the allow-dns and drop-all rules in OUTPUT:Code:iptables -t filter -F iptables -t nat -F iptables -t mangle -F
Now try to do a DNS lookup. Check what rules are getting hit (pkts column):Code:iptables -A OUTPUT -m owner --uid-owner USERNAME -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -m owner --uid-owner USERNAME -j DROP
There should be hits on dns-allow rule when dnsproxy sends out requests.Code:iptables -L -nv
Posting Permissions
Adv Reply
Bookmarks