From: "Michael Frank" <mhf@linuxmail.org>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: netfilter@lists.netfilter.org
Subject: Re: Possible to block ports by user group?
Date: Mon, 05 Jul 2004 12:29:23 +0800 [thread overview]
Message-ID: <opsande9km4evsfm@smtp.pacific.net.th> (raw)
In-Reply-To: <1088953144.11637.57.camel@anduril.intranet.cartel-securite.net>
On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher <blancher@cartel-securite.fr> wrote:
> Le dim 04/07/2004 à 15:16, Michael Frank a écrit :
>> Would like to block ports depending on the group in use
>
> See owner match :
>
> cbr@anduril:~$ iptables -m owner --help
> iptables v1.2.11
> [...]
> OWNER match v1.2.11 options:
> [!] --uid-owner userid Match local uid
> [!] --gid-owner groupid Match local gid
> [!] --pid-owner processid Match local pid
> [!] --sid-owner sessionid Match local sid
> [!] --cmd-owner name Match local command name
>
> --gid-owner seems to satisfy your needs.
>
>
Thank you for the pointer. This works very well.
I think there is a problem though wrt ICMP requests. The following
rule allows _everyone_ to ping, but I would expect only root to be able to.
ACCEPT all -- anywhere anywhere OWNER UID match root
This rule has no effect on ICMP i am mhf and can't ping.
ACCEPT all -- anywhere anywhere OWNER UID match mhf
This is with Vanilla kernel 2.4.24. Any know issue here?
No big deal, - I should try a later kernel soon.
Here is the whole list.
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level warning prefix `ipt - Ping of Death Blocked: '
DROP icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level warning prefix `ipt - Ping of Death Blocked: '
DROP icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 10/min burst 10 LOG level alert prefix `ipt - FORWARD dropped: '
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere OWNER UID match root
ACCEPT all -- anywhere anywhere OWNER UID match mhf
ACCEPT tcp -- anywhere anywhere tcp dpt:domain OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:http OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:8118 OWNER GID match guest
ACCEPT udp -- anywhere anywhere udp dpt:domain OWNER GID match guest
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 10/min burst 10 LOG level alert prefix `ipt - OUTPUT dropped: '
Chain syn-flood (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 1/sec burst 4
LOG all -- anywhere anywhere LOG level warning prefix `ipt - Blocked SYN Flood: '
DROP all -- anywhere anywhere
Any comments?
Regards
Michael
next prev parent reply other threads:[~2004-07-05 4:29 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-04 13:16 Possible to block ports by user group? Michael Frank
2004-07-04 14:06 ` Antony Stone
2004-07-05 4:17 ` Michael Frank
2004-07-04 14:59 ` Cedric Blancher
2004-07-05 4:29 ` Michael Frank [this message]
2004-07-05 14:34 ` Alistair Tonner
2004-07-05 16:35 ` Michael Frank
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=opsande9km4evsfm@smtp.pacific.net.th \
--to=mhf@linuxmail.org \
--cc=blancher@cartel-securite.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.