This works:
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
to block internet for a specific user. But it's not permanent.
What's the easiest way to make this persistent after a reboot, with newer systems (with systemd)?
Creating a specific .service file is always tricky and takes some time to figure out: one-shot? stoppable? forking? etc. and many other options, so I was wondering what is the most natural way to persist a iptables rule with new systems.
For Debian/Ubuntu based distros this link is useful persist iptable rules, and also this one:
apt-get install iptables-persistent
iptables-save > /etc/iptables/rules.v4
For Redhat-based distros:
The package iptables-services is needed.
# yum install iptables-services
# systemctl enable iptables
# systemctl start iptables
Backup current rules:
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
Persist rules to file:
# iptables-save >/etc/sysconfig/iptables
apt install iptables-services? Also, what does it do? Can you add some more details? This would be great for future reference. Like: is /etc/sysconfig/iptables read on each boot? Or is it specific, if and only if iptables-services is installed?
– Basj
Apr 25 '20 at 16:39
netfilter-persistent fully described here https://askubuntu.com/a/1072948/722342
– binarysta
Apr 25 '20 at 17:26
iptables-save >/etc/sysconfig/iptables. But if you have firewalld service, you shouldn't use both and need to disable that and enableiptables-servicesservice. – binarysta Apr 25 '20 at 15:00iptables-persistent, and you're done, no? – Vlastimil Burián Apr 25 '20 at 15:03iptables commandthe rule will be disabled but in the next boot the rules will be read from the file, so you have all your rules. – binarysta Apr 25 '20 at 15:33