Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: SOLVED Looking for IPTables help

  1. #1
    Join Date
    Mar 2011
    Beans
    680

    SOLVED Looking for IPTables help

    I want to set up an iptables ruleset for a specific user to restrict outgoing messages.

    I think I need...

    iptables -A Output --uid-owner USERNAME -j Drop

    What else? I want to restrict the outgoing messages to by port and destination IP. Is this possible? Also, will -j Drop deny all? I want it to deny everything *except* what I'm allowing. Should I change Drop to Accept?
    Last edited by Hungry Man; June 27th, 2013 at 02:47 AM.
    sig

  2. #2
    Join Date
    Jan 2008
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Looking for IPTables help

    iptables -A Output --uid-owner USERNAME -j Drop
    You have to specify the module too. Also chain names and targets are case-sensitive.

    This will block traffic generated by USERNAME:
    Code:
    iptables -A OUTPUT -m owner --uid-owner USERNAME -j DROP
    Restricting/Allowing traffic based on IP addresses or ports is possible. Check man page of iptables. Look for these options: --source --destination --sport --dport --protocol

    If you want to deny everything from a user except some allowed traffic, add the allow rules first, then the drop-all rule.
    For example, to allow HTTP and drop everything else from a user:
    Code:
    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -m owner --uid-owner USERNAME -j DROP

  3. #3
    Join Date
    Mar 2011
    Beans
    680

    Re: Looking for IPTables help

    iptables -A OUTPUT -m owner --uid-owner USERNAME -p tcp ! --dport 53 -j DROP
    Would this work? Trying to do it in a single rule. This way it checks outgoing from uid owner USERNAME, and that it's TCP, and then if it's *not* port 53 it drops it?

    Using a '!' might make things more extensible in the future, which is why I'm trying to figure out how to do it with that.

    Or would it be:
    iptables -A OUTPUT -m owner --uid-owner USERNAME -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -m owner --uid-owner USERNAME -p tcp ! --dport 53 -j DROP
    Last edited by Hungry Man; June 26th, 2013 at 03:51 PM.
    sig

  4. #4
    Join Date
    Jan 2008
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Looking for IPTables help

    iptables -A OUTPUT -m owner --uid-owner USERNAME -p tcp ! --dport 53 -j DROP
    Yes, this will work. But keep in mind that DNS (port 53) generally uses UDP as transport, not TCP.

    Using a '!' might make things more extensible in the future, which is why I'm trying to figure out how to do it with that.
    I don't think putting everything in one rule is the more extensible method. For example in future you might want to open some ports for both TCP and UDP. This cannot be achieved in a single rule since you can give only one -p flag.
    So the better option is to have a drop rule at the end. And all exceptions go above that as accept rules.

  5. #5
    Join Date
    Mar 2011
    Beans
    680

    Re: Looking for IPTables help

    Grrrr gimme a minute.

    I've got no idea. This doesn't seem to be working.

    Before I had GUFW set a disable all input rule, but I removed my GUFW rules before doing this. Now if I set GUFW back (after iptables -F) to deny incoming, I can't resolve webpages lol my DNS won't work.

    So I've got less working than when I started.
    Last edited by Hungry Man; June 26th, 2013 at 04:44 PM.
    sig

  6. #6
    Join Date
    Jan 2008
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Looking for IPTables help

    What rules are you having? Post the output of
    Code:
    iptables -L -nv

  7. #7
    Join Date
    Mar 2011
    Beans
    680

    Re: Looking for IPTables help

    Chain INPUT (policy ACCEPT 130K packets, 172M bytes) pkts bytes target prot opt in out source destination


    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination


    Chain OUTPUT (policy ACCEPT 68004 packets, 8634K bytes)
    pkts bytes target prot opt in out source destination


    Chain ufw-after-forward (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-after-input (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-after-logging-forward (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-after-logging-input (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-after-logging-output (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-after-output (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-before-forward (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-before-input (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-before-logging-forward (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-before-logging-input (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-before-logging-output (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-before-output (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-reject-forward (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-reject-input (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-reject-output (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-track-input (0 references)
    pkts bytes target prot opt in out source destination


    Chain ufw-track-output (0 references)
    pkts bytes target prot opt in out source destination
    That's the current rules. I removed the ones posted in this topic, because I wasn't sure if they were going to screw things up. I just did iptables -F.

    I'm assuming when I did iptables -F I removed rules that came preinstalled, that allowed services to work, like dhclient and my DNS.
    Last edited by Hungry Man; June 26th, 2013 at 05:53 PM.
    sig

  8. #8
    Join Date
    Jan 2008
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Looking for IPTables help

    There are no rules now. So DNS must be failing because of some other reason.

  9. #9
    Join Date
    Mar 2011
    Beans
    680

    Re: Looking for IPTables help

    Chain INPUT (policy DROP)target prot opt source destination
    ufw-before-logging-input all -- anywhere anywhere
    ufw-before-input all -- anywhere anywhere
    ufw-after-input all -- anywhere anywhere
    ufw-after-logging-input all -- anywhere anywhere
    ufw-reject-input all -- anywhere anywhere
    ufw-track-input all -- anywhere anywhere


    Chain FORWARD (policy DROP)
    target prot opt source destination
    ufw-before-logging-forward all -- anywhere anywhere
    ufw-before-forward all -- anywhere anywhere
    ufw-after-forward all -- anywhere anywhere
    ufw-after-logging-forward all -- anywhere anywhere
    ufw-reject-forward all -- anywhere anywhere


    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    ufw-before-logging-output all -- anywhere anywhere
    ufw-before-output all -- anywhere anywhere
    ufw-after-output all -- anywhere anywhere
    ufw-after-logging-output all -- anywhere anywhere
    ufw-reject-output all -- anywhere anywhere
    ufw-track-output all -- anywhere anywhere


    Chain ufw-after-forward (1 references)
    target prot opt source destination


    Chain ufw-after-input (1 references)
    target prot opt source destination
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm
    ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn
    ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps
    ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc
    ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST


    Chain ufw-after-logging-forward (1 references)
    target prot opt source destination


    Chain ufw-after-logging-input (1 references)
    target prot opt source destination


    Chain ufw-after-logging-output (1 references)
    target prot opt source destination


    Chain ufw-after-output (1 references)
    target prot opt source destination


    Chain ufw-before-forward (1 references)
    target prot opt source destination
    ufw-user-forward all -- anywhere anywhere


    Chain ufw-before-input (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ufw-logging-deny all -- anywhere anywhere state INVALID
    DROP all -- anywhere anywhere state INVALID
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp source-quench
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp parameter-problem
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
    ufw-not-local all -- anywhere anywhere
    ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
    ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900
    ufw-user-input all -- anywhere anywhere


    Chain ufw-before-logging-forward (1 references)
    target prot opt source destination


    Chain ufw-before-logging-input (1 references)
    target prot opt source destination


    Chain ufw-before-logging-output (1 references)
    target prot opt source destination


    Chain ufw-before-output (1 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ufw-user-output all -- anywhere anywhere


    Chain ufw-logging-allow (0 references)
    target prot opt source destination


    Chain ufw-logging-deny (2 references)
    target prot opt source destination


    Chain ufw-not-local (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
    RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
    ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10
    DROP all -- anywhere anywhere


    Chain ufw-reject-forward (1 references)
    target prot opt source destination


    Chain ufw-reject-input (1 references)
    target prot opt source destination


    Chain ufw-reject-output (1 references)
    target prot opt source destination


    Chain ufw-skip-to-policy-forward (0 references)
    target prot opt source destination
    DROP all -- anywhere anywhere


    Chain ufw-skip-to-policy-input (7 references)
    target prot opt source destination
    DROP all -- anywhere anywhere


    Chain ufw-skip-to-policy-output (0 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere


    Chain ufw-track-input (1 references)
    target prot opt source destination


    Chain ufw-track-output (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere state NEW
    ACCEPT udp -- anywhere anywhere state NEW


    Chain ufw-user-forward (1 references)
    target prot opt source destination


    Chain ufw-user-input (1 references)
    target prot opt source destination


    Chain ufw-user-limit (0 references)
    target prot opt source destination
    REJECT all -- anywhere anywhere reject-with icmp-port-unreachable


    Chain ufw-user-limit-accept (0 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere


    Chain ufw-user-logging-forward (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere


    Chain ufw-user-logging-input (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere


    Chain ufw-user-logging-output (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere


    Chain ufw-user-output (1 references)
    target prot opt source destination
    I rebooted, used GUFW to filter input, and that's the ruleset now. DNS resolution works, but I still have no rules restricting the user account that I run my dns proxy in
    sig

  10. #10
    Join Date
    Jan 2008
    Beans
    Hidden!
    Distro
    Kubuntu 13.04 Raring Ringtail

    Re: Looking for IPTables help

    Okay, I am not going through the list of rules generated by GUFW, since I take you want to stop using it and write your own rules?

    Perhaps there were rules in some other tables earlier, which was causing issues.
    When removing GUFW rules, ensure you remove rules from all tables:
    Code:
    iptables -t filter -F
    iptables -t nat -F
    iptables -t mangle -F
    Now add only the allow-dns and drop-all rules in OUTPUT:
    Code:
    iptables -A OUTPUT -m owner --uid-owner USERNAME -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -m owner --uid-owner USERNAME -j DROP
    Now try to do a DNS lookup. Check what rules are getting hit (pkts column):
    Code:
    iptables -L -nv
    There should be hits on dns-allow rule when dnsproxy sends out requests.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •