LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-27-2016, 03:03 PM   #1
Adrian5
LQ Newbie
 
Registered: Dec 2014
Distribution: Xubuntu 18.04
Posts: 10

Rep: Reputation: Disabled
IPTABLES, limiting regular processed to localhost, giving privileged access to ethernet


Hello,

I'm a novice when it comes to networking/multi-user and am looking for suggestions and help in setting up the following:

Option A)
  • No processes have Internet access by default, but they can communicate over localhost (e.g. Apache for local web development)
  • A special user/group has access to the outside, and I start the few programs that need it explicitly as that user.
  • A "whitelist" approach, if you will.

Option B)
  • Business as usual, all processes have free access to eth0.
  • A special user/group has no access to the outside and I start some processes as that.
  • "Blacklist".

I'm not sure how feasible either is, since many services run as root and presumably require root rights. Any input on how I might accomplish this welcome.

Thanks!

Last edited by Adrian5; 09-27-2016 at 03:05 PM.
 
Old 09-27-2016, 06:37 PM   #2
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
This is fairly common to allow the loopback to access itself
Typically formed like this
Code:
iptables -A INPUT -i lo -j ACCEPT
Do something similar for localhost or 127.0.0.1?

Outgoing can be matched by group or owner
https://www.frozentux.net/iptables-t...tml#OWNERMATCH
 
Old 09-28-2016, 01:13 PM   #3
Adrian5
LQ Newbie
 
Registered: Dec 2014
Distribution: Xubuntu 18.04
Posts: 10

Original Poster
Rep: Reputation: Disabled
Thanks Sefyir, the link with the examples (table 10-24) is really helpful. I'll see if I can get it to work and report back.
 
Old 10-13-2016, 06:33 AM   #4
Adrian5
LQ Newbie
 
Registered: Dec 2014
Distribution: Xubuntu 18.04
Posts: 10

Original Poster
Rep: Reputation: Disabled
Hello again, I got sidetracked a little.

Inspired by a tutorial, I've tried the following:
Code:
groupadd inetgroup

iptables -A OUTPUT -m owner --gid-owner inetgroup -j ACCEPT   # accept all outgoing packages owned by inetgroup
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT                     # accept all packages headed for localhost
iptables -A OUTPUT -d 192.168.1.1/24 -j ACCEPT                # my router's IPš
iptables -A OUTPUT -j REJECT                                  # reject all else
šThis line appears to be necessary for things to work the way I want, but I don't understand why. After all, line #1 doesn't limit outbound packets for the group, and any other shouldn't need to communicate with my router at all, right?

Having run above commands, I can start a shell with group permission and processes started there indeed have Internet access unlike the rest:
Code:
sudo -g internet -s
Now my question is: Is there a way to start processes via the inetgroup without requiring a shell and password (e.g. a plain Desktop link), or is that unworkable?

I experimented with the sg command, but without sudo it keeps asking for a password (I never set one, and a blank one doesn't work) and with sudo it doesn't appear to enable internet access anyway.

Any help with this appreciated!
 
Old 10-13-2016, 11:34 AM   #5
Sefyir
Member
 
Registered: Mar 2015
Distribution: Linux Mint
Posts: 634

Rep: Reputation: 316Reputation: 316Reputation: 316Reputation: 316
Quote:
Code:
iptables -A OUTPUT -d 192.168.1.1/24 -j ACCEPT                # my router's IPš
šThis line appears to be necessary for things to work the way I want, but I don't understand why. After all, line #1 doesn't limit outbound packets for the group, and any other shouldn't need to communicate with my router at all, right?
That's not your router's ip, it defines a range, 256 addresses in your LAN space - 192.168.0.0 to 192.168.0.255.
You say it appears necessary, does it not work if you don't include it?

Code:
groupadd inetgroup
iptables -A OUTPUT -m owner --gid-owner inetgroup -j ACCEPT   # accept all outgoing packages owned by inetgroup
Look at these links?
https://stackoverflow.com/questions/...group#15830914
http://unix.stackexchange.com/a/52427/89198

Last edited by Sefyir; 10-13-2016 at 11:56 AM.
 
Old 10-13-2016, 03:56 PM   #6
Adrian5
LQ Newbie
 
Registered: Dec 2014
Distribution: Xubuntu 18.04
Posts: 10

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Sefyir View Post
That's not your router's ip, it defines a range, 256 addresses in your LAN space - 192.168.0.0 to 192.168.0.255.
You say it appears necessary, does it not work if you don't include it?
I see. Without that line, I just cannot get any connection, regardless of who owns the process.
I can only assume that I either misunderstood how these rules work together, or my first rule doesn't have the effect I think it does.

My plan was (OUTPUT chain only):
Code:
1. Owner matches "internet" group -> ACCEPT
  if not, then...
2. Destination is localhost -> ACCEPT
  if not, then...
3. REJECT
Is my approach wrong?

Thanks for the links. I tried the sg command again, this time with sudo and the 192.168.1.1/24 rule in place and it worked. I must have failed to do both together. From what I understand now, sudo is unavoidable, because the request is a special one as my user doesn't belong to the internet group.

Regarding the ESTABLISH,RELATED rules in your second link, would it be advisable to add iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT as the first rule, followed by the ones I already have? I understand it that way.

Last edited by Adrian5; 10-13-2016 at 03:57 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables ext access to service that only accepts localhost Vinnie-NZ Linux - Networking 1 11-23-2008 09:49 PM
Bind Iptables can't access out of localhost wspivak Linux - Server 4 03-26-2008 08:28 PM
Forgot the privileged access password in ibm pseries615c3 muthulingaraja Linux - Hardware 0 07-12-2006 02:44 PM
sudo: limiting activity to the localhost Cenobite Linux - Security 4 03-02-2006 11:27 AM
Giving regular users access to certain root-only commands slickrcbd Linux - Newbie 4 12-24-2003 07:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration