LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-19-2018, 07:40 AM   #1
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie
Posts: 841

Rep: Reputation: 78
Blocking specific applications with iptables


I need to block an application's access to the Internet. I researched, and found this:

- Create the "no-internet" group.
- Write netblock.sh script with this line:
Code:
sg no-internet "$1"
- Add this rule to iptables:
Code:
iptables -I OUTPUT 1 -m owner --gid-owner no-internet ! -d 192.168.1.0/24 -j DROP
- Run application:
Code:
$ netblock.sh /path/to/binary
If you're one of the 25 or so people in the world who actually understand iptables, you may have noticed that I want to block access to the outside world, but I want to grant access to the local network.

Let's test it with ping:

Code:
$ ping www.google.com
PING www.google.com (216.58.222.100) 56(84) bytes of data.
64 bytes from rio01s16-in-f100.1e100.net (216.58.222.100): icmp_seq=1 ttl=54 time=43.5 ms
64 bytes from rio01s16-in-f100.1e100.net (216.58.222.100): icmp_seq=2 ttl=54 time=42.3 ms
^C

$ netblock.sh "ping www.google.com"
ping: www.google.com: Temporary failure in name resolution
Excellent!

Code:
$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.324 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.379 ms
^C

$ netblock.sh "ping 192.168.1.1"
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
Damn it! The local network is being blocked, too. How do I open it?

None of the "similar threads" has an answer to this.

Last edited by lucmove; 08-19-2018 at 07:43 AM.
 
Old 08-19-2018, 07:56 AM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 3,521
Blog Entries: 3

Rep: Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567Reputation: 1567
Code:
iptables -I OUTPUT 1 -m owner --gid-owner no-internet ! -d 192.168.1.0/24 -j DROP
The REJECT target is better for you in this case than DROP. However, that aside what you want to do is white list your group's rules, especially since that rule is inserted #1 and blocks access to the loopback.

I'd say, create a new chain and send all the outgoing packets with that GID to the new chain. Set up rules on that chain allowing loopback, localhost and, optionally, to the local machine's LAN address. Jump to REJECT as the last rule in the chain.

If you get stuck, please post more of your ruleset using iptables-save.
 
Old 08-19-2018, 08:38 PM   #3
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie
Posts: 841

Original Poster
Rep: Reputation: 78
That's still English you're speaking, right?
 
Old 08-19-2018, 08:45 PM   #4
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie
Posts: 841

Original Poster
Rep: Reputation: 78
Are you familiar with this?

Code:
# rc.firewall Linux Firewall version 2.0rc9 -- 05/02/03
# http://projectfiles.com/firewall/
with this one change:
Code:
PERMIT="198.168.0.0/24"
Everything else is default. Now I want to add a rule to that script that will block the no-internet group.

I am 97% illiterate in iptables.

Thank you for your attention.
 
Old 08-20-2018, 04:10 PM   #5
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware, Maemo
Posts: 368
Blog Entries: 1

Rep: Reputation: Disabled
I was just reading some information about SystemD, and one of the things it said in the information is that you can remove various access (example networking) for certain processes or cgroups.

Not sure if that is correct as I have not tried, but it is an option well worth exploring.

I would assume you add any processes (and it's binary perhaps) into a cgroup, then block networking on the cgroup.


PS. I also looked into the topic you are pursuing, about a year ago, and I was adviced that what you want to do is not the purpose of iptables, and that blocking network access like that is an useless as the program can invoke access through another binary.

Last edited by zeebra; 08-20-2018 at 04:13 PM.
 
Old 08-20-2018, 11:45 PM   #6
lucmove
Member
 
Registered: Aug 2005
Location: Brazil
Distribution: Debian Jessie
Posts: 841

Original Poster
Rep: Reputation: 78
Quote:
Originally Posted by zeebra View Post
I also looked into the topic you are pursuing, about a year ago, and I was adviced that what you want to do is not the purpose of iptables...
But iptables is all we have, and there are reports that it works.

Quote:
Originally Posted by zeebra View Post
and that blocking network access like that is an useless as the program can invoke access through another binary.
I believe that applies to AppArmor, but not iptables, because the child process of a blocked parent process will be blocked too. I ran a quick test and it seems to be true: invoking my email client with the blocker script blocks it, then I click a link in a message and a new instance of the browser is launched, and that instance is blocked, too.
 
Old 08-21-2018, 06:43 PM   #7
zeebra
Member
 
Registered: Dec 2011
Distribution: Mageia, Slackware, Maemo
Posts: 368
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by lucmove View Post
But iptables is all we have, and there are reports that it works.
Well, if it is important to accomplish what you want, don't forget to look into the SystemD cgroups option. From what I read you block networking in general.

If you find out something, let us know.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Use iptables to allow/block specific applications? ordealbyfire83 Linux - Networking 12 02-05-2014 05:50 AM
LXer: Blocking specific network applications with iptables LXer Syndicated Linux News 0 11-19-2007 07:12 PM
Blocking specific outbound traffic - iptables mistersnorfles Linux - Security 5 08-08-2007 03:14 PM
Blocking specific ports on IPTABLES stonereh Linux - Security 8 02-15-2006 11:49 AM
iptables: blocking something.com for specific time farhan Linux - Security 2 06-11-2005 11:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:27 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration