* Possible to block ports by user group? @ 2004-07-04 13:16 Michael Frank 2004-07-04 14:06 ` Antony Stone 2004-07-04 14:59 ` Cedric Blancher 0 siblings, 2 replies; 7+ messages in thread From: Michael Frank @ 2004-07-04 13:16 UTC (permalink / raw) To: netfilter Would like to block ports depending on the group in use For example: group "browser" can only access port tcp 8118 so it _must_ talk through privoxy group "wget" can access ports tcp 21 and 80 group "trusted" can access all ports Searched and googled but could not find anything. How can this be done? Michael ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group? 2004-07-04 13:16 Possible to block ports by user group? Michael Frank @ 2004-07-04 14:06 ` Antony Stone 2004-07-05 4:17 ` Michael Frank 2004-07-04 14:59 ` Cedric Blancher 1 sibling, 1 reply; 7+ messages in thread From: Antony Stone @ 2004-07-04 14:06 UTC (permalink / raw) To: netfilter On Sunday 04 July 2004 2:16 pm, Michael Frank wrote: > Would like to block ports depending on the group in use I don't understand what you mean by "group" (well, I understand what you mean by it, but I don't understand where this is specified, or what it's associated with). > For example: > > group "browser" can only access port tcp 8118 so it _must_ talk through > privoxy > > group "wget" can access ports tcp 21 and 80 > > group "trusted" can access all ports > > Searched and googled but could not find anything. > > How can this be done? Where / how are these groups defined? What identifies a PC as being part of a specific group? Regards, Antony. -- Abandon hope, all ye who enter here. You'll feel much better about things once you do. Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group? 2004-07-04 14:06 ` Antony Stone @ 2004-07-05 4:17 ` Michael Frank 0 siblings, 0 replies; 7+ messages in thread From: Michael Frank @ 2004-07-05 4:17 UTC (permalink / raw) To: netfilter On Sun, 4 Jul 2004 15:06:30 +0100, Antony Stone <Antony@Soft-Solutions.co.uk> wrote: > On Sunday 04 July 2004 2:16 pm, Michael Frank wrote: > >> Would like to block ports depending on the group in use > > I don't understand what you mean by "group" (well, I understand what you mean > by it, but I don't understand where this is specified, or what it's > associated with). > >> For example: >> >> group "browser" can only access port tcp 8118 so it _must_ talk through >> privoxy >> >> group "wget" can access ports tcp 21 and 80 >> >> group "trusted" can access all ports >> >> Searched and googled but could not find anything. >> >> How can this be done? > > Where / how are these groups defined? What identifies a PC as being part of > a specific group? Linux machine user group or user id. Regards Michael ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group? 2004-07-04 13:16 Possible to block ports by user group? Michael Frank 2004-07-04 14:06 ` Antony Stone @ 2004-07-04 14:59 ` Cedric Blancher 2004-07-05 4:29 ` Michael Frank 1 sibling, 1 reply; 7+ messages in thread From: Cedric Blancher @ 2004-07-04 14:59 UTC (permalink / raw) To: Michael Frank; +Cc: netfilter Le dim 04/07/2004 à 15:16, Michael Frank a écrit : > Would like to block ports depending on the group in use See owner match : cbr@anduril:~$ iptables -m owner --help iptables v1.2.11 [...] OWNER match v1.2.11 options: [!] --uid-owner userid Match local uid [!] --gid-owner groupid Match local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name --gid-owner seems to satisfy your needs. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group? 2004-07-04 14:59 ` Cedric Blancher @ 2004-07-05 4:29 ` Michael Frank 2004-07-05 14:34 ` Alistair Tonner 0 siblings, 1 reply; 7+ messages in thread From: Michael Frank @ 2004-07-05 4:29 UTC (permalink / raw) To: Cedric Blancher; +Cc: netfilter On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher <blancher@cartel-securite.fr> wrote: > Le dim 04/07/2004 à 15:16, Michael Frank a écrit : >> Would like to block ports depending on the group in use > > See owner match : > > cbr@anduril:~$ iptables -m owner --help > iptables v1.2.11 > [...] > OWNER match v1.2.11 options: > [!] --uid-owner userid Match local uid > [!] --gid-owner groupid Match local gid > [!] --pid-owner processid Match local pid > [!] --sid-owner sessionid Match local sid > [!] --cmd-owner name Match local command name > > --gid-owner seems to satisfy your needs. > > Thank you for the pointer. This works very well. I think there is a problem though wrt ICMP requests. The following rule allows _everyone_ to ping, but I would expect only root to be able to. ACCEPT all -- anywhere anywhere OWNER UID match root This rule has no effect on ICMP i am mhf and can't ping. ACCEPT all -- anywhere anywhere OWNER UID match mhf This is with Vanilla kernel 2.4.24. Any know issue here? No big deal, - I should try a later kernel soon. Here is the whole list. Chain INPUT (policy DROP) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level warning prefix `ipt - Ping of Death Blocked: ' DROP icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level warning prefix `ipt - Ping of Death Blocked: ' DROP icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 10/min burst 10 LOG level alert prefix `ipt - FORWARD dropped: ' Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere OWNER UID match root ACCEPT all -- anywhere anywhere OWNER UID match mhf ACCEPT tcp -- anywhere anywhere tcp dpt:domain OWNER GID match guest ACCEPT tcp -- anywhere anywhere tcp dpt:smtp OWNER GID match guest ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 OWNER GID match guest ACCEPT tcp -- anywhere anywhere tcp dpt:ftp OWNER GID match guest ACCEPT tcp -- anywhere anywhere tcp dpt:http OWNER GID match guest ACCEPT tcp -- anywhere anywhere tcp dpt:8118 OWNER GID match guest ACCEPT udp -- anywhere anywhere udp dpt:domain OWNER GID match guest ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 10/min burst 10 LOG level alert prefix `ipt - OUTPUT dropped: ' Chain syn-flood (2 references) target prot opt source destination RETURN all -- anywhere anywhere limit: avg 1/sec burst 4 LOG all -- anywhere anywhere LOG level warning prefix `ipt - Blocked SYN Flood: ' DROP all -- anywhere anywhere Any comments? Regards Michael ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group? 2004-07-05 4:29 ` Michael Frank @ 2004-07-05 14:34 ` Alistair Tonner 2004-07-05 16:35 ` Michael Frank 0 siblings, 1 reply; 7+ messages in thread From: Alistair Tonner @ 2004-07-05 14:34 UTC (permalink / raw) To: netfilter On July 5, 2004 12:29 am, Michael Frank wrote: > On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher <blancher@cartel-securite.fr> wrote: > > Le dim 04/07/2004 à 15:16, Michael Frank a écrit : > >> Would like to block ports depending on the group in use > > > > See owner match : > > > > cbr@anduril:~$ iptables -m owner --help > > iptables v1.2.11 > > [...] > > OWNER match v1.2.11 options: > > [!] --uid-owner userid Match local uid > > [!] --gid-owner groupid Match local gid > > [!] --pid-owner processid Match local pid > > [!] --sid-owner sessionid Match local sid > > [!] --cmd-owner name Match local command name > > > > --gid-owner seems to satisfy your needs. > > Thank you for the pointer. This works very well. > > I think there is a problem though wrt ICMP requests. The following > rule allows _everyone_ to ping, but I would expect only root to be able to. > > ACCEPT all -- anywhere anywhere OWNER UID match > root > > This rule has no effect on ICMP i am mhf and can't ping. > > ACCEPT all -- anywhere anywhere OWNER UID match > mhf > > This is with Vanilla kernel 2.4.24. Any know issue here? > I would suggest that in all likelyhood your ping/traceroute are setuid root. *grin* Alistair. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Possible to block ports by user group? 2004-07-05 14:34 ` Alistair Tonner @ 2004-07-05 16:35 ` Michael Frank 0 siblings, 0 replies; 7+ messages in thread From: Michael Frank @ 2004-07-05 16:35 UTC (permalink / raw) To: Alistair Tonner, netfilter On Mon, 5 Jul 2004 10:34:16 -0400, Alistair Tonner <Alistair@nerdnet.ca> wrote: > On July 5, 2004 12:29 am, Michael Frank wrote: >> On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher > <blancher@cartel-securite.fr> wrote: >> > Le dim 04/07/2004 à 15:16, Michael Frank a écrit : >> >> Would like to block ports depending on the group in use >> > >> > See owner match : >> > >> > cbr@anduril:~$ iptables -m owner --help >> > iptables v1.2.11 >> > [...] >> > OWNER match v1.2.11 options: >> > [!] --uid-owner userid Match local uid >> > [!] --gid-owner groupid Match local gid >> > [!] --pid-owner processid Match local pid >> > [!] --sid-owner sessionid Match local sid >> > [!] --cmd-owner name Match local command name >> > >> > --gid-owner seems to satisfy your needs. >> >> Thank you for the pointer. This works very well. >> >> I think there is a problem though wrt ICMP requests. The following >> rule allows _everyone_ to ping, but I would expect only root to be able to. >> >> ACCEPT all -- anywhere anywhere OWNER UID match >> root >> >> This rule has no effect on ICMP i am mhf and can't ping. >> >> ACCEPT all -- anywhere anywhere OWNER UID match >> mhf >> >> This is with Vanilla kernel 2.4.24. Any know issue here? >> > > I would suggest that in all likelyhood your ping/traceroute are setuid root. > *grin* > ping must be root or suid root, the packet count of "UID match root" increases with ping and nmap does work non root. Thank you :) Michael ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2004-07-05 16:35 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-07-04 13:16 Possible to block ports by user group? Michael Frank 2004-07-04 14:06 ` Antony Stone 2004-07-05 4:17 ` Michael Frank 2004-07-04 14:59 ` Cedric Blancher 2004-07-05 4:29 ` Michael Frank 2004-07-05 14:34 ` Alistair Tonner 2004-07-05 16:35 ` Michael Frank
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.