LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   How to prevent a user from using the network? (http://www.linuxquestions.org/questions/slackware-14/how-to-prevent-a-user-from-using-the-network-4175459311/)

philanc 04-23-2013 01:16 PM

How to prevent a user from using the network?
 
Hi,

My objective is to make sure that any program run by some user (e.g. UID=1234) cannot use the network in any way (cannot connect or listen to any other machine on the network)

The PC runs Slackware 14.0. It is connected to the network with either a wired (eth0) or wireless (wlan0) interface.

The programs running with UID=1234 should be unable to use any of these two interfaces, but could use the lo interface to communicate between themselves or with local servers.

What would be the simplest way to achieve this objective?

Thanks in advance for your help

Phil

Martinus2u 04-23-2013 03:12 PM

Quote:

Originally Posted by philanc (Post 4937361)
What would be the simplest way to achieve this objective?

one iptables rule per interface with a certain match condition (not sure if you need to change your kernel config)

SwiftTimber-Z80 04-23-2013 05:06 PM

Using the iptables owner module should accomplish this

as per the manpage of "iptables-extensions":

owner
This module attempts to match various characteristics of the packet creator, for locally generated
packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have
any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.

[!] --uid-owner username

[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is owned by the given user. You
may also specify a numerical UID, or an UID range.

[!] --gid-owner groupname

[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the given group. You may also specify
a numerical GID, or a GID range.

[!] --socket-exists
Matches if the packet is associated with a socket

philanc 04-23-2013 05:54 PM

Quote:

Originally Posted by SwiftTimber-Z80 (Post 4937519)
Using the iptables owner module should accomplish this (...)

I didn't know about the owner module.

Now I am lost in the iptables manpage :). I have used AlienBob easy firewall generator. I am now trying to understand the generated script to figure where to add the '-m owner --uid-owner 1234' ... plenty of fun! ;)

Thanks to Martinus2u and you to point me in the right direction.

Phil

Celyr 04-23-2013 06:37 PM

If you want you can post here the script for help.
When you are done please remember to mark this thread as solved.

ReaperX7 04-23-2013 06:42 PM

If you are using a program like Wicd or NetworkManager, I think you can exempt the user from the Wheel and NetDev groups to prevent internet or network access.

philanc 04-24-2013 03:24 PM

Quote:

Originally Posted by ReaperX7 (Post 4937559)
If you are using a program like Wicd or NetworkManager, I think you can exempt the user from the Wheel and NetDev groups to prevent internet or network access.

Yes, but if I understand correctly, it can prevent a user from setting up a connection to Internet (i.e. get an IP address and set a route to Internet). It cannot prevent a user from listening to or sending packets, once the PC is connected to Internet.

philanc 04-24-2013 03:27 PM

Quote:

Originally Posted by Celyr (Post 4937557)
If you want you can post here the script for help.

Thanks. I'll try to make it work, and if I cannot sort it out, I will ask for help here!


Quote:

When you are done please remember to mark this thread as solved.
Done.


All times are GMT -5. The time now is 07:30 AM.