LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 04-23-2013, 12:16 PM   #1
philanc
Member
 
Registered: Jan 2011
Posts: 65

Rep: Reputation: 26
How to prevent a user from using the network?


Hi,

My objective is to make sure that any program run by some user (e.g. UID=1234) cannot use the network in any way (cannot connect or listen to any other machine on the network)

The PC runs Slackware 14.0. It is connected to the network with either a wired (eth0) or wireless (wlan0) interface.

The programs running with UID=1234 should be unable to use any of these two interfaces, but could use the lo interface to communicate between themselves or with local servers.

What would be the simplest way to achieve this objective?

Thanks in advance for your help

Phil
 
Old 04-23-2013, 02:12 PM   #2
Martinus2u
Member
 
Registered: Apr 2010
Distribution: Slackware
Posts: 345

Rep: Reputation: 56
Quote:
Originally Posted by philanc View Post
What would be the simplest way to achieve this objective?
one iptables rule per interface with a certain match condition (not sure if you need to change your kernel config)
 
Old 04-23-2013, 04:06 PM   #3
SwiftTimber-Z80
LQ Newbie
 
Registered: Mar 2013
Posts: 20

Rep: Reputation: Disabled
Using the iptables owner module should accomplish this

as per the manpage of "iptables-extensions":

owner
This module attempts to match various characteristics of the packet creator, for locally generated
packets. This match is only valid in the OUTPUT and POSTROUTING chains. Forwarded packets do not have
any socket associated with them. Packets from kernel threads do have a socket, but usually no owner.

[!] --uid-owner username

[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is owned by the given user. You
may also specify a numerical UID, or an UID range.

[!] --gid-owner groupname

[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the given group. You may also specify
a numerical GID, or a GID range.

[!] --socket-exists
Matches if the packet is associated with a socket
 
1 members found this post helpful.
Old 04-23-2013, 04:54 PM   #4
philanc
Member
 
Registered: Jan 2011
Posts: 65

Original Poster
Rep: Reputation: 26
Quote:
Originally Posted by SwiftTimber-Z80 View Post
Using the iptables owner module should accomplish this (...)
I didn't know about the owner module.

Now I am lost in the iptables manpage . I have used AlienBob easy firewall generator. I am now trying to understand the generated script to figure where to add the '-m owner --uid-owner 1234' ... plenty of fun!

Thanks to Martinus2u and you to point me in the right direction.

Phil
 
Old 04-23-2013, 05:37 PM   #5
Celyr
Member
 
Registered: Mar 2012
Location: Italy
Distribution: Slackware+Debian
Posts: 314

Rep: Reputation: 77
If you want you can post here the script for help.
When you are done please remember to mark this thread as solved.
 
Old 04-23-2013, 05:42 PM   #6
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, FreeBSD 10.0
Posts: 3,207
Blog Entries: 15

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
If you are using a program like Wicd or NetworkManager, I think you can exempt the user from the Wheel and NetDev groups to prevent internet or network access.
 
Old 04-24-2013, 02:24 PM   #7
philanc
Member
 
Registered: Jan 2011
Posts: 65

Original Poster
Rep: Reputation: 26
Quote:
Originally Posted by ReaperX7 View Post
If you are using a program like Wicd or NetworkManager, I think you can exempt the user from the Wheel and NetDev groups to prevent internet or network access.
Yes, but if I understand correctly, it can prevent a user from setting up a connection to Internet (i.e. get an IP address and set a route to Internet). It cannot prevent a user from listening to or sending packets, once the PC is connected to Internet.
 
Old 04-24-2013, 02:27 PM   #8
philanc
Member
 
Registered: Jan 2011
Posts: 65

Original Poster
Rep: Reputation: 26
Quote:
Originally Posted by Celyr View Post
If you want you can post here the script for help.
Thanks. I'll try to make it work, and if I cannot sort it out, I will ask for help here!


Quote:
When you are done please remember to mark this thread as solved.
Done.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to prevent a user to log in? thomas2004ch Linux - Software 3 05-11-2011 08:57 AM
how do i prevent a user from sending mail onyangoliech Linux - Software 4 12-15-2006 11:24 AM
How to prevent user from using other apps!?? FreakboY Linux - Security 4 09-08-2005 04:22 AM
Prevent user from accessing the Internet koy-b Linux - Security 2 07-17-2004 12:17 PM
Prevent a user from logging into X? sorrodos Linux - Security 6 06-26-2004 03:30 PM


All times are GMT -5. The time now is 11:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration