6

I have to harden a Linux desktop as an assignment in my college. But I got stuck at a specific problem: I have to control the outgoing traffic with iptables.

It should be possible to prevent a specific application (like LibreOffice) to access the internet. My professor said "look for the 'match' option". But I can't figure out how to do it. I thought of setting a rule which drops all packets of a specific group id with the -m owner --owner-gid option. But how can I configure my applications to run under this particular group? Or is this just the wrong way to do it?

The OS is Debian 7.

strugee
  • 14,951
Sebastian
  • 163
  • See this Q&A: http://unix.stackexchange.com/questions/68956/block-network-access-of-a-process/69017#69017 – slm Dec 12 '13 at 08:04
  • Related: http://unix.stackexchange.com/questions/32264/per-process-firewall – slm Dec 12 '13 at 08:34
  • As you can see, this is a FAQ. IMO you would use selinux, apparmor, grsecruity, or similar tools rather then iptables. Each tool has advantages and disadvantages. – Panther Dec 12 '13 at 18:48

2 Answers2

5

owner module

Take a look at this URL titled: Iptables Tutorial 1.2.2. This page lists several of the matching techniques one can do using owner information about a process.

The owner match extension is used to match packets based on the identity of the process that created them. The owner can be specified as the process ID either of the user who issued the command in question, that of the group, the process, the session, or that of the command itself. This extension was originally written as an example of what iptables could be used for. The owner match only works within the OUTPUT chain, for obvious reasons: It is pretty much impossible to find out any information about the identity of the instance that sent a packet from the other end, or where there is an intermediate hop to the real destination. Even within the OUTPUT chain it is not very reliable, since certain packets may not have an owner. Notorious packets of that sort are (among other things) the different ICMP responses. ICMP responses will never match.

  1. Match --uid-owner

    $ iptables -A OUTPUT -m owner --uid-owner 500

  2. Match --gid-owner

    $ iptables -A OUTPUT -m owner --gid-owner 0

Caveat

The documentation I reference is severely out dated, but is in fact still referred to on the official netfilter.org website: http://www.netfilter.org/documentation/.

Consulting the built-in docs

So I would take this opportunity to teach you another skill that will carry you far and wide as you continue to use Linux/Unix and opensource software for that matter. Consult the usage and/or man pages, since they're likely the most up to date information you'll find when dealing with various tools.

Example

The module we're dealing with within iptables is called owner. So we can query a extensive usage guide on it like so:

$ iptables -m owner --help

Doing so will reveal that these are the supported owner match options:

owner match options:
[!] --uid-owner userid[-userid]      Match local UID
[!] --gid-owner groupid[-groupid]    Match local GID
[!] --socket-exists                  Match if socket exists

NOTE: You can check what version you have like so:

$ iptables --version
iptables v1.4.18

I encourage you to read through this usage guide to gain further insights into how to use the tool and also to understand how to use the tool.

slm
  • 369,824
  • This tutorial is very old. The only useful parameter --cmd-owner has long been removed from iptables. And --pid-owner is way harder to use because one would have to continuously iterate over all processes in order to add new PIDs and remove old ones. – scai Dec 12 '13 at 08:21
  • @scai - yes I noticed the date, I put this here as a place holder, was looking for a more recent version. I did find this page on Debian which mentions the same switches. http://www.debian-administration.org/article/120/Application_level_firewalling. Will continue digging for a more recent list. – slm Dec 12 '13 at 08:24
  • @scai - it's hardly reassuring when the main site for the project is pushing a howto from 2001 as current documentation. http://www.netfilter.org/documentation/. The doc I linked to is there too. – slm Dec 12 '13 at 08:28
  • 1
    Indeed. But that's nothing unusual in the Linux world, unfortunately :( – scai Dec 12 '13 at 08:38
  • Yes that´s it. I got it to run with your tutorial and the following How-To: http://ubuntuforums.org/archive/index.php/t-1188099.html – Sebastian Dec 13 '13 at 08:19
2

User name (uid) or group name (gid) won't help because these are the IDs of the user executing the application. Thus it would apply to all applications by that particular user and not just a single one, like LibreOffice.

Blocking a specific application is usually done by blocking all ports the application uses. But this only works if the user can't change the ports the application will use.

scai
  • 10,793