Iptables Firewall – How to Allow Only Specific Application/User with iptables/pf

firewalliptablespf

I think there is no iptables/pf solution to only allow an XY application on e.g.: outbound tcp port 80, eth0. So if I have a userid: "500" then how could I block any other communications then the mentioned on port 80/outbound/tcp/eth0? (e.g.: just privoxy is using port 80 on eth0)

Extra: virtualbox uses port 80 too? when a browser on the guest os visits a site..how to declaire that? – setting the normal user would be too much hole

Best Answer

here's the iptables command to allow for a certain uid through a certain port.

iptables -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner username -j ACCEPT

from the man page

[!] --uid-owner userid[-userid] Matches if the packet socket’s file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.

as far as virtualbox.. I believe it runs its own kernel... so you might want to use the --uid-owner of virtualbox on the host OS, but then have a --uid-owner owner rule on the virtual machine as well.

It might also be useful to note that --gid-owner also exists, and you could create a group browser and sgid your browser apps so it runs with an effective group browser and then only put users who you want to have browsing in that group... this would not be a perfect solution... but most of the users wouldn't try to run any other apps as that group, thus generally restricting the outbound to that application I believe. I haven't tried this, so I'm not 100% that it would work as I've described.

Related Solutions

Tun0+ iptables rule

From here: To match all interfaces of a type, use the plus sign such as eth+.

And yes, the "+" sign means here just as "*" in pattern matching or ".*" in regexps.

This rule is false, the + is unneeded, although it don't even harms (because a tunnel named tun01 or tun05 are very unlikely). The developer of this script wanted to write probably only tun+.

Centos – Iptables rule to allow only one port and block others

We can make INPUT policy drop to block everything and allow specific ports only

# allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow your application port
iptables -I INPUT -p tcp --dport 42605 -j ACCEPT
# allow SSH 
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
# Allow Ping
iptables -A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow localhost 
iptables -A INPUT -i lo -j ACCEPT
# block everything else 
iptables -A INPUT -j DROP

Another question, would this be the right way to test, or maybe I should use "netstat" command to see which port has connection established with the other ip?

Yes, you can check netstat -antop | grep app_port and you can also use strace :

strace -f -e trace=network -s 10000 PROCESS ARGUMENTS

To monitor an existing process with a known pid:

strace -p $( pgrep application_name) -f -e trace=network -s 10000

Best Answer

Related Solutions

Tun0+ iptables rule

Centos – Iptables rule to allow only one port and block others

Related Question