Archive for the ‘iptables’ tag
Some iptables exploration
As far as I know, it is not that well understood that you can control the Linux firewall (iptables) on a per-user basis, which is something that is sometimes useful on multiuser systems.
Per-user control can be done using the -m owner command line switch of iptables. This matching is of course to be done only on outbound packets put on the OUTPUT chain.
The -m owner match
The owner rule allow to match outgoing packet in several interesting ways. You can of course match on the UID and GID of any user on the system using --uid-owner and --gid-owner. Those 2 arguments match type cover most of the ground you might want to cover in controlling user network access.
The 2 other switch allow you to match on a process ID and a session ID (--pid-owner and --sid-owner). I can see this type of match used inside a daemon launch script to control to which host the process can communicate. Session ID is a lesser known UNIX concept which can match several process launched from a parent. It is good to know those conditions exists but I won’t be discussing them here.
Selectively drop outbound connection
This is something that you may have good reasons to do on a multiuser system. The following rule prevents any outbound connection to any site on port 80, preventing any non-root users from connecting to most of the web.
iptables -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner 0 -j DROP
You can of course use --gid-owner to make a more sensible control using a group.
Prevent incoming and outgoing connections
Eventhough you can’t select which user can receive inbound connection request, you can still prevent a specific user process from accepting connection from the outside. You can do that by dropping packets that take part in the TCP connection handshake.
The TCP connection handshake is a process that begin when a connection is attempted on a service port. The first packet sent in that handshake is a packet that has a special flag, called SYN, raised. If the service port can answer to that connection request, it needs to send a TCP packet with 2 flags, SYN and ACK, raised. In practice, this means that if packets that have the SYN and ACK flag raised are blocked, incoming connections will never succeed.
iptables -A OUTPUT -p tcp --tcp-flags ALL SYN,ACK -m owner ! --uid-owner -j REJECT
This blocks the completion of connections attempts done on all local port by non-root users. You could as well selectively ACCEPT connections only to the well known service on your multiuser machine but you would have to remember to modify your firewall script every time you enable another service. You can also selectively allow certain class of user to receive connections using --gid-owner.
I can’t guarantee the level of security offered by the rules I propose here. There are other alternative than using firewalls to control network security on multiuser system. My last hosting provider HCOOP is using grsec which is a set of patch over the Linux kernel.
