* Possible to block ports by user group?
@ 2004-07-04 13:16 Michael Frank
2004-07-04 14:06 ` Antony Stone
2004-07-04 14:59 ` Cedric Blancher
0 siblings, 2 replies; 7+ messages in thread
From: Michael Frank @ 2004-07-04 13:16 UTC (permalink / raw)
To: netfilter
Would like to block ports depending on the group in use
For example:
group "browser" can only access port tcp 8118 so it _must_ talk through privoxy
group "wget" can access ports tcp 21 and 80
group "trusted" can access all ports
Searched and googled but could not find anything.
How can this be done?
Michael
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group?
2004-07-04 13:16 Possible to block ports by user group? Michael Frank
@ 2004-07-04 14:06 ` Antony Stone
2004-07-05 4:17 ` Michael Frank
2004-07-04 14:59 ` Cedric Blancher
1 sibling, 1 reply; 7+ messages in thread
From: Antony Stone @ 2004-07-04 14:06 UTC (permalink / raw)
To: netfilter
On Sunday 04 July 2004 2:16 pm, Michael Frank wrote:
> Would like to block ports depending on the group in use
I don't understand what you mean by "group" (well, I understand what you mean
by it, but I don't understand where this is specified, or what it's
associated with).
> For example:
>
> group "browser" can only access port tcp 8118 so it _must_ talk through
> privoxy
>
> group "wget" can access ports tcp 21 and 80
>
> group "trusted" can access all ports
>
> Searched and googled but could not find anything.
>
> How can this be done?
Where / how are these groups defined? What identifies a PC as being part of
a specific group?
Regards,
Antony.
--
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group?
2004-07-04 13:16 Possible to block ports by user group? Michael Frank
2004-07-04 14:06 ` Antony Stone
@ 2004-07-04 14:59 ` Cedric Blancher
2004-07-05 4:29 ` Michael Frank
1 sibling, 1 reply; 7+ messages in thread
From: Cedric Blancher @ 2004-07-04 14:59 UTC (permalink / raw)
To: Michael Frank; +Cc: netfilter
Le dim 04/07/2004 à 15:16, Michael Frank a écrit :
> Would like to block ports depending on the group in use
See owner match :
cbr@anduril:~$ iptables -m owner --help
iptables v1.2.11
[...]
OWNER match v1.2.11 options:
[!] --uid-owner userid Match local uid
[!] --gid-owner groupid Match local gid
[!] --pid-owner processid Match local pid
[!] --sid-owner sessionid Match local sid
[!] --cmd-owner name Match local command name
--gid-owner seems to satisfy your needs.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group?
2004-07-04 14:06 ` Antony Stone
@ 2004-07-05 4:17 ` Michael Frank
0 siblings, 0 replies; 7+ messages in thread
From: Michael Frank @ 2004-07-05 4:17 UTC (permalink / raw)
To: netfilter
On Sun, 4 Jul 2004 15:06:30 +0100, Antony Stone <Antony@Soft-Solutions.co.uk> wrote:
> On Sunday 04 July 2004 2:16 pm, Michael Frank wrote:
>
>> Would like to block ports depending on the group in use
>
> I don't understand what you mean by "group" (well, I understand what you mean
> by it, but I don't understand where this is specified, or what it's
> associated with).
>
>> For example:
>>
>> group "browser" can only access port tcp 8118 so it _must_ talk through
>> privoxy
>>
>> group "wget" can access ports tcp 21 and 80
>>
>> group "trusted" can access all ports
>>
>> Searched and googled but could not find anything.
>>
>> How can this be done?
>
> Where / how are these groups defined? What identifies a PC as being part of
> a specific group?
Linux machine user group or user id.
Regards
Michael
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group?
2004-07-04 14:59 ` Cedric Blancher
@ 2004-07-05 4:29 ` Michael Frank
2004-07-05 14:34 ` Alistair Tonner
0 siblings, 1 reply; 7+ messages in thread
From: Michael Frank @ 2004-07-05 4:29 UTC (permalink / raw)
To: Cedric Blancher; +Cc: netfilter
On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher <blancher@cartel-securite.fr> wrote:
> Le dim 04/07/2004 à 15:16, Michael Frank a écrit :
>> Would like to block ports depending on the group in use
>
> See owner match :
>
> cbr@anduril:~$ iptables -m owner --help
> iptables v1.2.11
> [...]
> OWNER match v1.2.11 options:
> [!] --uid-owner userid Match local uid
> [!] --gid-owner groupid Match local gid
> [!] --pid-owner processid Match local pid
> [!] --sid-owner sessionid Match local sid
> [!] --cmd-owner name Match local command name
>
> --gid-owner seems to satisfy your needs.
>
>
Thank you for the pointer. This works very well.
I think there is a problem though wrt ICMP requests. The following
rule allows _everyone_ to ping, but I would expect only root to be able to.
ACCEPT all -- anywhere anywhere OWNER UID match root
This rule has no effect on ICMP i am mhf and can't ping.
ACCEPT all -- anywhere anywhere OWNER UID match mhf
This is with Vanilla kernel 2.4.24. Any know issue here?
No big deal, - I should try a later kernel soon.
Here is the whole list.
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level warning prefix `ipt - Ping of Death Blocked: '
DROP icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level warning prefix `ipt - Ping of Death Blocked: '
DROP icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 10/min burst 10 LOG level alert prefix `ipt - FORWARD dropped: '
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere OWNER UID match root
ACCEPT all -- anywhere anywhere OWNER UID match mhf
ACCEPT tcp -- anywhere anywhere tcp dpt:domain OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:http OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:8118 OWNER GID match guest
ACCEPT udp -- anywhere anywhere udp dpt:domain OWNER GID match guest
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 10/min burst 10 LOG level alert prefix `ipt - OUTPUT dropped: '
Chain syn-flood (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 1/sec burst 4
LOG all -- anywhere anywhere LOG level warning prefix `ipt - Blocked SYN Flood: '
DROP all -- anywhere anywhere
Any comments?
Regards
Michael
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group?
2004-07-05 4:29 ` Michael Frank
@ 2004-07-05 14:34 ` Alistair Tonner
2004-07-05 16:35 ` Michael Frank
0 siblings, 1 reply; 7+ messages in thread
From: Alistair Tonner @ 2004-07-05 14:34 UTC (permalink / raw)
To: netfilter
On July 5, 2004 12:29 am, Michael Frank wrote:
> On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher
<blancher@cartel-securite.fr> wrote:
> > Le dim 04/07/2004 à 15:16, Michael Frank a écrit :
> >> Would like to block ports depending on the group in use
> >
> > See owner match :
> >
> > cbr@anduril:~$ iptables -m owner --help
> > iptables v1.2.11
> > [...]
> > OWNER match v1.2.11 options:
> > [!] --uid-owner userid Match local uid
> > [!] --gid-owner groupid Match local gid
> > [!] --pid-owner processid Match local pid
> > [!] --sid-owner sessionid Match local sid
> > [!] --cmd-owner name Match local command name
> >
> > --gid-owner seems to satisfy your needs.
>
> Thank you for the pointer. This works very well.
>
> I think there is a problem though wrt ICMP requests. The following
> rule allows _everyone_ to ping, but I would expect only root to be able to.
>
> ACCEPT all -- anywhere anywhere OWNER UID match
> root
>
> This rule has no effect on ICMP i am mhf and can't ping.
>
> ACCEPT all -- anywhere anywhere OWNER UID match
> mhf
>
> This is with Vanilla kernel 2.4.24. Any know issue here?
>
I would suggest that in all likelyhood your ping/traceroute are setuid root.
*grin*
Alistair.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group?
2004-07-05 14:34 ` Alistair Tonner
@ 2004-07-05 16:35 ` Michael Frank
0 siblings, 0 replies; 7+ messages in thread
From: Michael Frank @ 2004-07-05 16:35 UTC (permalink / raw)
To: Alistair Tonner, netfilter
On Mon, 5 Jul 2004 10:34:16 -0400, Alistair Tonner <Alistair@nerdnet.ca> wrote:
> On July 5, 2004 12:29 am, Michael Frank wrote:
>> On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher
> <blancher@cartel-securite.fr> wrote:
>> > Le dim 04/07/2004 à 15:16, Michael Frank a écrit :
>> >> Would like to block ports depending on the group in use
>> >
>> > See owner match :
>> >
>> > cbr@anduril:~$ iptables -m owner --help
>> > iptables v1.2.11
>> > [...]
>> > OWNER match v1.2.11 options:
>> > [!] --uid-owner userid Match local uid
>> > [!] --gid-owner groupid Match local gid
>> > [!] --pid-owner processid Match local pid
>> > [!] --sid-owner sessionid Match local sid
>> > [!] --cmd-owner name Match local command name
>> >
>> > --gid-owner seems to satisfy your needs.
>>
>> Thank you for the pointer. This works very well.
>>
>> I think there is a problem though wrt ICMP requests. The following
>> rule allows _everyone_ to ping, but I would expect only root to be able to.
>>
>> ACCEPT all -- anywhere anywhere OWNER UID match
>> root
>>
>> This rule has no effect on ICMP i am mhf and can't ping.
>>
>> ACCEPT all -- anywhere anywhere OWNER UID match
>> mhf
>>
>> This is with Vanilla kernel 2.4.24. Any know issue here?
>>
>
> I would suggest that in all likelyhood your ping/traceroute are setuid root.
> *grin*
>
ping must be root or suid root, the packet count of "UID match root"
increases with ping and nmap does work non root.
Thank you :)
Michael
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-07-05 16:35 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-07-04 13:16 Possible to block ports by user group? Michael Frank
2004-07-04 14:06 ` Antony Stone
2004-07-05 4:17 ` Michael Frank
2004-07-04 14:59 ` Cedric Blancher
2004-07-05 4:29 ` Michael Frank
2004-07-05 14:34 ` Alistair Tonner
2004-07-05 16:35 ` Michael Frank
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.