3

I want to create a new user (or group), so that any application running with this user can't connect to the network.

@Michael Kjörling I have followed your suggestion(with Ubuntu 12.04 64bit) and got some error information:

$ sudo iptables -A OUTPUT -m owner --uid-owner xyz ! -i lo -j REJECT --reject-with network-unreachable
iptables v1.4.12: unknown reject type "network-unreachable"
Try `iptables -h' or 'iptables --help' for more information.

$ sudo iptables -A OUTPUT -m owner --uid-owner xyz ! -i lo -j REJECT 
iptables v1.4.12: Can't use -i with OUTPUT

Try `iptables -h' or 'iptables --help' for more information.
$ sudo iptables -A OUTPUT -m owner --uid-owner xyz ! -j REJECT 
iptables v1.4.12: cannot have ! before -j
Try `iptables -h' or 'iptables --help' for more information.

Finally, the following one works. But I'm not sure if there is anything wrong.

$ sudo iptables -A OUTPUT -m owner --uid-owner xyz -j REJECT 
$
Eastsun
  • 133

1 Answers1

7

You can use the owner match extension for iptables (ipt_owner.ko), together with an exception for the loopback interface, to block external network communication for a specific user. (Or, alternatively, allow network access only for a set of users.)

For example:

modprobe ipt_owner
iptables -A OUTPUT -m owner --uid-owner $USERNAME ! -o lo -j REJECT

(Untested but should get the gist across.) Replace $USERNAME with the relevant user's login name.

How to Limit network access by user / group using iptables - Owner Match by Nikesh Jauhari provides some background. It can be used with groups too, but I'm not sure how it deals with primary and secondary groups.

user
  • 28,901