iptables "-m owner --uid-owner" option
I have slackware 14.1
In the firewall script that i run every boot i tried to add the following: IPT="/usr/sbin/iptables" $IPT -N OUT_UID $IPT -A OUT_UID -m owner --uid-owner 1000 -j RETURN $IPT -A OUT_UID -m owner --uid-owner 0 -m limit --limit 1/m --limit-burst 2 -j LOG --log-level 5 --log-prefix="OUT uid=0 log -> " --log-uid $IPT -A OUT_UID -m owner --uid-owner 0 -j RETURN $IPT -A OUT_UID -m limit --limit 1/m --limit-burst 2 -j LOG --log-level 5 --log-prefix="OUT uid blocked -> " --log-uid $IPT -A OUT_UID -j DROP $IPT -A OUTPUT -j OUT_UID this should allow only root and user i use to log in. that works but i have many packets dropped and logged packets doesn't show uid! Is that normal? that happens when i use firefox or google chrome. |
Quote:
Quote:
Quote:
Quote:
|
Quote:
Quote:
pkts bytes target prot opt in out source destination 3461 623K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1000 2 136 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 limit: avg 1/min burst 2 LOG flags 8 level 5 prefix "OUT uid=0 log -> " 5118 305K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 8 404 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 LOG flags 8 level 5 prefix "OUT uid blocked -> " 710 37299 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 I have posted only the table "OUT_UID" some logs there: dmesg | grep "OUT uid=0 log" [ 3667.797536] OUT uid=0 log -> IN= OUT=eth1 SRC=MY_IP DST=MY_ROUTER_IP LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=39075 DF PROTO=UDP SPT=53121 DPT=53 LEN=48 UID=0 GID=0 [ 3667.860791] OUT uid=0 log -> IN= OUT=eth1 SRC=MY_IP DST=MY_ROUTER_IP LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=39076 DF PROTO=UDP SPT=48624 DPT=53 LEN=48 UID=0 GID=0 ..... [ 5895.957592] OUT uid=0 log -> IN= OUT=eth1 SRC=MY_IP DST=193.206.140.37 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=50821 DF PROTO=TCP SPT=49357 DPT=80 WINDOW=1973 RES=0x00 ACK URGP=0 UID=0 GID=0 [ 5896.959192] OUT uid=0 log -> IN= OUT=eth1 SRC=MY_IP DST=193.206.140.37 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51229 DF PROTO=TCP SPT=49357 DPT=80 WINDOW=3816 RES=0x00 ACK URGP=0 UID=0 GID=0 this packets are logged when i used "slackpkg update" command after obtaining root permissions with "su" command. this packets show UID and GID extactly like i expected dmesg | grep "OUT uid blocked" [ 3332.552057] OUT uid blocked -> IN= OUT=eth1 SRC=MY_IP DST=93.184.220.29 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=24803 DF PROTO=TCP SPT=49615 DPT=80 WINDOW=115 RES=0x00 ACK URGP=0 [ 3392.532610] OUT uid blocked -> IN= OUT=eth1 SRC=MY_IP DST=149.3.177.58 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=46183 DF PROTO=TCP SPT=60642 DPT=443 WINDOW=204 RES=0x00 ACK URGP=0 this packets doesn't show UID and GID and are blocked by the DROP rule above. So my question is why they doesn't have UID? Quote:
Quote:
Sorry bad english and unclear previous message. Thanks for help! |
Quote:
Quote:
Note that unless you only want auditing "-j LOG" rules usually require a counterpart that actually performs an action: Code:
$IPT -A OUT_UID -m owner ! --uid-owner 0 -m tcp -p tcp -m ctstate --state NEW -m multiport --dports 1024:10000 -m limit --limit 1/s --limit-burst 5 -j LOG --log-level 5 --log-uid --log-prefix="OUT_uid_block " |
Quote:
Then I tried to add: "iptables -I OUTPUT -j LOG --log-uid".. many logged packets shows UID. Problem is elsewhere. But adding "-m ctstate --state NEW" (then i replaced it with conntrack module) it worked! iptables in fact was blocking FIN packets for some reason but blocking NEW packets is enough to block net access to some uid! Actually RST packets are still blocked. googling a bit i found they are generated by kernel and no uid is shown in this case but just another simple rule to allow RST packets. Edit: About RST no more rule are required, check NEW packets uid only is enough! So only change i have done is replacing "$IPT -A OUTPUT -j OUT_UID" with "$IPT -A OUTPUT -m conntrack --ctstate NEW -j OUT_UID" |
All times are GMT -5. The time now is 10:48 AM. |