* Restricting access to certain network interfaces for certain users
@ 2005-01-16 18:12 Straxus
2005-01-16 19:03 ` Les Mikesell
0 siblings, 1 reply; 2+ messages in thread
From: Straxus @ 2005-01-16 18:12 UTC (permalink / raw)
To: netfilter
Hi,
I've been redirected to this list in the hope that someone here can
find a solution to my problem.
I'm trying to limit which network interfaces a given user can access.
I have two network cards (eth0 and eth1), and I've set up all sorts of
virtual interfaces (eth0:0, eth0:1, etc) to give the cards multiple IP
addresses.
Basically, I want a given user to be restricted to using a given
virtual interface (e.g. eth0:3) for all of their network transactions.
The behaviour that I'm seeing right now is that, when a user uses a
program that listens to e.g. local port 12345, it's grabbing all of
the traffic that comes into any of the virtual interfaces on port
12345. The netstat -tupan output for this program looks like:
Proto: udp
Recv-Q: 0
Send-Q: 0
Local Address: 0.0.0.0:12345
Foreign Address: 0.0.0.0:*
State: [none listed]
PID/Program name: [pid]/[progname]
As a result, when the second user tries to use the same program that
binds to the same port, one of the apps gets nothing since the other
instance is grabbing them all. As a side note, the port that this
program uses is hard-coded, and I can't modify it since it's in
proprietary software land.
I've looked at things like http://sourceforge.net/projects/jail/,
which provides a jail-like toolkit for Linux, however as far as I can
tell this version of Jail lacks the IP binding that is present in
FreeBSD's version of Jail (which would be perfect for my needs). I've
also seen the Linux VServer at http://linux-vserver.com/, however it
requires a kernel patch, and I'm wary of anything that integrates that
deep into the kernel (not to mention that upgrading with security
patches and such would be come a lot more difficult if I'm using a
modified kernel).
Is there any way to only permit a user to access/bind to a given
network interface or a given IP address using netfilter and iptables,
or am I basically up the creek on this one?
Thanks,
--
-=Straxus=-
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Restricting access to certain network interfaces for certain users
2005-01-16 18:12 Restricting access to certain network interfaces for certain users Straxus
@ 2005-01-16 19:03 ` Les Mikesell
0 siblings, 0 replies; 2+ messages in thread
From: Les Mikesell @ 2005-01-16 19:03 UTC (permalink / raw)
To: Straxus; +Cc: netfilter
On Sun, 2005-01-16 at 12:12, Straxus wrote:
> I'm trying to limit which network interfaces a given user can access.
> I have two network cards (eth0 and eth1), and I've set up all sorts of
> virtual interfaces (eth0:0, eth0:1, etc) to give the cards multiple IP
> addresses.
I don't have a solution, but I've always considered it a bizarre
departure from the unix security model that Linux does not have
an underlying device in the filesystem with associated owner/group
that has to be opened before gaining access to the network. Does
anyone know the history of this omission? I wouldn't expect this
to apply to individual interfaces, but I thought that SysV had
something like /dev/tcp where permissions where applied.
--
Les Mikesell
les@futuresource.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-01-16 19:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-16 18:12 Restricting access to certain network interfaces for certain users Straxus
2005-01-16 19:03 ` Les Mikesell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.