linux poison RSS
linux poison Email

How to Limit network access by user / group using iptables - Owner Match

Iptables and netfilter is a Linux kernel 2.4+ iptables administration tool. netfilter and iptables provide a Linux kernel framework for stateful and stateless packet filtering, network and port addresss translation, and other IP packet manipulation. The framework is the successor to ipchains.iptables is built on top of netfilter, the packet alteration framework for Linux 2.4.x and 2.6.x. It is a major rewrite of its predecessor ipchains, and is used to control packet filtering, Network Address Translation (masquerading, portforwarding, transparent proxying), and special effects such as packet mangling.

Owner match:
The owner match extension is used to match packets based on the identity of the process that created them. The owner can be specified as the process ID either of the user who issued the command in question, that of the group, the process, the session, or that of the command itself. The owner match only works within the OUTPUT chain, for obvious reasons: This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.

Iptables' owner match extension adds four match criteria to the iptables command:
-- uid-owner UID: matches packets generated by a process whose user ID is UID
-- gid-owner GID: matches packets generated by a process whose group ID is GID.
-- pid-owner PID: matches packets generated by a process whose process ID is PID.
-- sid-owner SID: matches packets generated by a process whose session ID is SID.

To load this module, use the modprobe command: modprobe ipt_owner

General syntax:
-m owner --uid-owner 0
-m owner --uid-owner root
-m owner --gid-owner net

Example - by user (assuming a user name = nikesh)
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner nikesh  -j ACCEPT
iptables -A OUTPUT -j DROP
Example - by group (assuming a group name = other)
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --gid-owner other -j ACCEPT
iptables -A OUTPUT -j DROP


0 comments:

Post a Comment

Related Posts with Thumbnails