[SOLVED] iptables "-m owner --uid-owner" option

Besl621 · 09-22-2015, 10:14 AM

I have slackware 14.1
In the firewall script that i run every boot i tried to add the following:

IPT="/usr/sbin/iptables"

$IPT -N OUT_UID
$IPT -A OUT_UID -m owner --uid-owner 1000 -j RETURN
$IPT -A OUT_UID -m owner --uid-owner 0 -m limit --limit 1/m --limit-burst 2 -j LOG --log-level 5 --log-prefix="OUT uid=0 log -> " --log-uid
$IPT -A OUT_UID -m owner --uid-owner 0 -j RETURN
$IPT -A OUT_UID -m limit --limit 1/m --limit-burst 2 -j LOG --log-level 5 --log-prefix="OUT uid blocked -> " --log-uid
$IPT -A OUT_UID -j DROP

$IPT -A OUTPUT -j OUT_UID

this should allow only root and user i use to log in.
that works but i have many packets dropped and logged packets doesn't show uid!

Is that normal?
that happens when i use firefox or google chrome.

unSpawn · 09-23-2015, 01:15 AM

Quote:

Originally Posted by Besl621

this should allow only root and user i use to log in.

Log in where? How? (Note root should not be allowed to log in over any networks.)

Quote:

Originally Posted by Besl621

i have many packets dropped

Show us "evidence" of that? (Preferably using "-j LOG" rules to show its a NetFilter problem.)

Quote:

Originally Posted by Besl621

logged packets doesn't show uid!

If they don't then they are logged by some other rule?

Quote:

Originally Posted by Besl621

that happens when i use firefox or google chrome.

What happens? Logging in as root? (Note root should not be allowed to use desktop applications, use an unprivileged user account.) Dropped packets? Could it be you're misunderstanding "-m owner"? A lot of daemons will happily drop privileges and run as lesser or unprivileged users but some just can't so "--uid-owner 0" will be affecting all of them...

Besl621 · 09-23-2015, 03:27 AM

Quote:

Originally Posted by unSpawn

Log in where? How? (Note root should not be allowed to log in over any networks.)

I don't use root to login, i use only its permissions with "su" command to set iptables after login with "user uid 1000" and for upgrading system with "slackpkg" command.

Quote:

Originally Posted by unSpawn

Show us "evidence" of that? (Preferably using "-j LOG" rules to show its a NetFilter problem.)

iptables -nvL
pkts bytes target prot opt in out source destination
3461 623K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 1000
2 136 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 limit: avg 1/min burst 2 LOG flags 8 level 5 prefix "OUT uid=0 log -> "
5118 305K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0
8 404 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/min burst 2 LOG flags 8 level 5 prefix "OUT uid blocked -> "
710 37299 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
I have posted only the table "OUT_UID"

some logs there:
dmesg | grep "OUT uid=0 log"
[ 3667.797536] OUT uid=0 log -> IN= OUT=eth1 SRC=MY_IP DST=MY_ROUTER_IP LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=39075 DF PROTO=UDP SPT=53121 DPT=53 LEN=48 UID=0 GID=0
[ 3667.860791] OUT uid=0 log -> IN= OUT=eth1 SRC=MY_IP DST=MY_ROUTER_IP LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=39076 DF PROTO=UDP SPT=48624 DPT=53 LEN=48 UID=0 GID=0
.....
[ 5895.957592] OUT uid=0 log -> IN= OUT=eth1 SRC=MY_IP DST=193.206.140.37 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=50821 DF PROTO=TCP SPT=49357 DPT=80 WINDOW=1973 RES=0x00 ACK URGP=0 UID=0 GID=0
[ 5896.959192] OUT uid=0 log -> IN= OUT=eth1 SRC=MY_IP DST=193.206.140.37 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=51229 DF PROTO=TCP SPT=49357 DPT=80 WINDOW=3816 RES=0x00 ACK URGP=0 UID=0 GID=0
this packets are logged when i used "slackpkg update" command after obtaining root permissions with "su" command.
this packets show UID and GID extactly like i expected

dmesg | grep "OUT uid blocked"
[ 3332.552057] OUT uid blocked -> IN= OUT=eth1 SRC=MY_IP DST=93.184.220.29 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=24803 DF PROTO=TCP SPT=49615 DPT=80 WINDOW=115 RES=0x00 ACK URGP=0
[ 3392.532610] OUT uid blocked -> IN= OUT=eth1 SRC=MY_IP DST=149.3.177.58 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=46183 DF PROTO=TCP SPT=60642 DPT=443 WINDOW=204 RES=0x00 ACK URGP=0
this packets doesn't show UID and GID and are blocked by the DROP rule above.
So my question is why they doesn't have UID?

Quote:

Originally Posted by unSpawn

If they don't then they are logged by some other rule?

as shown above packets logged by rule with --log-prefix="OUT uid blocked -> " option

Quote:

Originally Posted by unSpawn

What happens? Logging in as root? (Note root should not be allowed to use desktop applications, use an unprivileged user account.) Dropped packets? Could it be you're misunderstanding "-m owner"? A lot of daemons will happily drop privileges and run as lesser or unprivileged users but some just can't so "--uid-owner 0" will be affecting all of them...

I never login with root only used its permission with su command in a bash shell.

Sorry bad english and unclear previous message.

Thanks for help!

unSpawn · 09-25-2015, 03:34 AM

Quote:

Originally Posted by Besl621

I don't use root to login

Cool. Thanks for clearing that up.

Quote:

Originally Posted by Besl621

Code:

dmesg | grep "OUT uid blocked"
[ 3332.552057] OUT uid blocked -> IN= OUT=eth1 SRC=MY_IP DST=93.184.220.29 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=24803 DF PROTO=TCP SPT=49615 DPT=80 WINDOW=115 RES=0x00 ACK URGP=0 
[ 3392.532610] OUT uid blocked -> IN= OUT=eth1 SRC=MY_IP DST=149.3.177.58 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=46183 DF PROTO=TCP SPT=60642 DPT=443 WINDOW=204 RES=0x00 ACK URGP=0

this packets doesn't show UID and GID and are blocked by the DROP rule above.
So my question is why they doesn't have UID?

Is it because the rule doesn't specify a "-m owner --uid-owner"? (IIRC you can also use ! for reverse so, not saying you should but, you could try "-m owner ! --uid-owner 0".)
Note that unless you only want auditing "-j LOG" rules usually require a counterpart that actually performs an action:

Code:

$IPT -A OUT_UID -m owner ! --uid-owner 0 -m tcp -p tcp -m ctstate --state NEW -m multiport --dports 1024:10000 -m limit --limit 1/s --limit-burst 5 -j LOG --log-level 5 --log-uid --log-prefix="OUT_uid_block "
$IPT -A OUT_UID -m owner ! --uid-owner 0 -m tcp -p tcp -m ctstate --state NEW -m multiport --dports 1024:10000 -m limit --limit 1/s --limit-burst 5 -j DROP

Besl621 · 09-25-2015, 10:13 AM

Quote:

Originally Posted by unSpawn

Is it because the rule doesn't specify a "-m owner --uid-owner"? (IIRC you can also use ! for reverse so, not saying you should but, you could try "-m owner ! --uid-owner 0".)
Note that unless you only want auditing "-j LOG" rules usually require a counterpart that actually performs an action:

Code:

$IPT -A OUT_UID -m owner ! --uid-owner 0 -m tcp -p tcp -m ctstate --state NEW -m multiport --dports 1024:10000 -m limit --limit 1/s --limit-burst 5 -j LOG --log-level 5 --log-uid --log-prefix="OUT_uid_block "
$IPT -A OUT_UID -m owner ! --uid-owner 0 -m tcp -p tcp -m ctstate --state NEW -m multiport --dports 1024:10000 -m limit --limit 1/s --limit-burst 5 -j DROP

I tried to add "-m owner ! --uid-owner 0" in the rule but it not worked!
Then I tried to add: "iptables -I OUTPUT -j LOG --log-uid".. many logged packets shows UID. Problem is elsewhere.
But adding "-m ctstate --state NEW" (then i replaced it with conntrack module) it worked!
iptables in fact was blocking FIN packets for some reason but blocking NEW packets is enough to block net access to some uid!

Actually RST packets are still blocked. googling a bit i found they are generated by kernel and no uid is shown in this case but just another simple rule to allow RST packets.
Edit: About RST no more rule are required, check NEW packets uid only is enough!
So only change i have done is replacing "$IPT -A OUTPUT -j OUT_UID" with "$IPT -A OUTPUT -m conntrack --ctstate NEW -j OUT_UID"