1

I have filtering working for some users and groups; however, it is not working for SSH. For SSH, I am specifying members of the ssh group can have outbound SSH traffic. I am using the same syntax for daemons (DNS and privoxy) and they function fine.

When I do a process listing, I do see that ssh is run by myself, so why is it not letting me out?

macro

?COMMENT SSH
PARAM - - tcp ssh - - - :ssh

iptables

ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 owner GID match 1006

1006 is the groupid of the ssh group

I am a member of the ssh group and I see iptables is matching the owner GID to that of ssh. Can I do this or not? This is outbound and not inbound ...

tarleb
  • 2,077
Walter
  • 1,234
  • Can you show us the rules you're currently using? – David King Dec 09 '15 at 17:35
  • I updated the post above to show the relevant iptables output. At the end of the Chain, everything is logged and that is where I am seeing it it not matching the group. – Walter Dec 10 '15 at 01:36
  • I'm guessing what's happening is even though you're a member of the ssh group it's not your primary group which is what iptables is matching against – David King Dec 10 '15 at 02:03
  • Ah okay, I was guessing something like that was happening, but it seems silly then to have group matching if it doesn't match all groups. – Walter Dec 10 '15 at 11:37
  • Like I said that's just a guess but typically GID refers to the primary group. – David King Dec 10 '15 at 13:17

1 Answers1

0

This has already been answered by @DavidKing in the comments: the GID checked by iptables refers to the GID under which the process is running. Iptables won't check if the owner of that process is somehow member of the given group

If you want to keep your settings the way they are, you will have to run ssh with a specific group id:

sg ssh "ssh root@example.com"

Here, sg is the command to change the group as which a command is run (just like su does the same for users). It can be seen how it works by comparing the output of id and sg ssh id. One will notice that the value of the gid will be different, while everything else stays the same.

The whole topic of group ids is explained very well in the answers to this question.

tarleb
  • 2,077
  • Yes, that was it, thanks for the awesome explanation. Once I did that, it worked perfectly. – Walter Dec 11 '15 at 01:25