3

In Ubuntu 17.04, I've been trying to use IP tables to block a processes' internet connection but allow localhost, particularly 127.0.0.1:5500 (a server the process creates).

Whilst the process can't access the internet, it also times out accessing 127.0.0.1:5500. Trying to ping 127.0.0.1 results in "ping: sendmsg: Operation not permitted".

I followed this below: https://ubuntuforums.org/showthread.php?t=1188099.

My IP tables file is:

#!/bin/bash
iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP

Which I run with sudo -g no-internet <command>, i.e. sudo -g no-internet firefox.

Is there anything I'm doing wrong, or is this just not possible? Is there a better way of doing this?

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Trashay
  • 31
  • Are you otherwise also blocking ping/ICMP? – Jeff Schaller May 28 '18 at 15:21
  • @Trashay: I think it's will be useful you (move process to other namespace) - https://unix.stackexchange.com/a/83348/273268. – Yurij Goncharuk May 28 '18 at 15:30
  • I'm afraid I haven't explicitly done anything other than what's in the post above. May I ask how I go about checking or unblocking ICMP? @JeffSchaller – Trashay May 28 '18 at 15:31
  • From memory, iptables -n -L OUTPUT would show the default policy. – Jeff Schaller May 28 '18 at 15:44
  • Running iptables -n -L OUTPUT both in the group and outside of the group returns the following: https://pastebin.com/raw/HTuS7VuQ. Appears that it's accepting localhost. @JeffSchaller – Trashay May 28 '18 at 15:57

1 Answers1

1

Here is a solution for the new nftables. However Ubuntu 17.04 may be to old. Debian only got nftables by default in the most recent release.

It is adapted from something similar on my system. It is not tested as is (especially the dport line: I don't have this), but should work.

#!/usr/sbin/nft -f

table ip my_table {}
flush table my_table

table ip my_table {
    chain output {
        type filter hook output priority 0; policy accept;
        skuid "other" jump restrict_chain; #user to restrict
    }

    chain restrict_chain {
        counter;
        oifname != "lo" jump reject_chain;
        tcp dport != 5500 jump reject_chain; #line not tested
        accept;
    }
}

nftables has the advantage of being simpler, and can be (this script is) atomic.

I did not deal with local network as in your code, as you make no mention in the rest of the text.

ctrl-alt-delor
  • 27,993