Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Where are these rules in relation to other rules in the OUTPUT chain? The --append or -A option will put these two new rules after any that are already in place. So if one of the previous rules lets everyone out, that's what'll happen. Can you show the whole OUTPUT chain?
Where are these rules in relation to other rules in the OUTPUT chain? The --append or -A option will put these two new rules after any that are already in place. So if one of the previous rules lets everyone out, that's what'll happen. Can you show the whole OUTPUT chain?
Ok. That means those would be the only two rules in the chain. Perhaps --gid-owner only addresses primary groups. Have you looked at using --suppl-groups also?
Thank you,
No I have not tried that before. I did now, here is what I got:
[root@c12-19 ~]# iptables -A OUTPUT -o eth0 -m owner --gid-owner 59931 --suppl-groups groupB -j REJECT
iptables v1.4.21: unknown option "--suppl-groups"
Try `iptables -h' or 'iptables --help' for more information.
[root@c12-19 ~]# iptables -A OUTPUT -o eth0 -m owner --suppl-groups groupB -j REJECT
iptables v1.4.21: unknown option "--suppl-groups"
Try `iptables -h' or 'iptables --help' for more information.
Quote:
Originally Posted by Turbocapitalist
Ok. That means those would be the only two rules in the chain. Perhaps --gid-owner only addresses primary groups. Have you looked at using --suppl-groups also?
I tried a few things and searched a little but gave up quickly on iptables. Reading about it, there seem to be some longstanding issues about how iptables handles groups. nftables is much better and iptables will be deprecated in the near future so, have you considered nftables instead?
I get the expected behavior with nftables:
Code:
$ nft list ruleset
table ip output {
chain filter4 {
type filter hook output priority 0; policy accept;
ip protocol tcp skgid "groupB" reject
}
}
You'd have to install nftables, uninstall iptables, and then reboot for the new filter interface to take effect.
I tried a few things and searched a little but gave up quickly on iptables. Reading about it, there seem to be some longstanding issues about how iptables handles groups. nftables is much better and iptables will be deprecated in the near future so, have you considered nftables instead?
I get the expected behavior with nftables:
Code:
$ nft list ruleset
table ip output {
chain filter4 {
type filter hook output priority 0; policy accept;
ip protocol tcp skgid "groupB" reject
}
}
You'd have to install nftables, uninstall iptables, and then reboot for the new filter interface to take effect.
I wouldn't hold my breath about problems with iptables getting fixed any time soon. That one with the groups seems to be an old one, too.
Myself, I've run into enough problems with iptables that I don't consider it for any projects any more and just use nftables nowadays. Back before nftables, I did recompile some kernels with ipchains support because of problems with iptables. So maybe I just never got along with iptables.
Either way, nftables is the future of packet filters for Linux. So you might give it a quick try. The syntax is quite different from ipchains and iptables, and is a bit more complex. However, the complexity on the user side is supposed to be in exchange for gains in performance once the rules are inside the kernel.
You have two ways of building the rules out:
Code:
nft flush ruleset
nft add table ip foobar
nft add chain foobar input { type filter hook input priority 0 \; policy drop \; }
nft add rule ip foobar input ct state related,established counter accept
nft add chain foobar output { type filter hook output priority 0 \; policy accept \; }
nft add rule ip foobar output ip protocol tcp skgid groupb reject
Or
Code:
#!/usr/bin/nft -f
flush ruleset
table ip foobar {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related counter accept
}
chain output {
type filter hook output priority 0; policy accept;
ip protocol tcp skgid "groupb" reject
}
}
The latter format is what you can put in /etc/nftables.conf for persistence.
The wiki in the earlier link seems to be the best guide, though the manual page serves as a reminder once it nft becomes familiar.
Last edited by Turbocapitalist; 03-10-2020 at 12:51 AM.
Reason: packets and bytes not needed in rule
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.