Source
Limit network access
by user / group
Use the owner moduleThis module applies to locally generated packets, not incoming or forwarded packets, and is thus used in the OUTPUT (filter) chain.
You may specify a user/group by name, uid, or gid. In the following examples I use the group "net" to demonstrate restricting access to root and members of the group "net". "net" is a custom group and you will need to create this group and add members to it.
General syntax:
-m owner --uid-owner 0
-m owner --uid-owner root
-m owner --gid-owner net
Example - by user (assuming a user name = bodhi)
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bodhi -j ACCEPT
iptables -A OUTPUT -j DROP
Example - by group (assuming a group name = net)iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner bodhi -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --gid-owner net -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A OUTPUT -o eth0 -m owner --uid-owner 0 -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --gid-owner net -j ACCEPT
iptables -A OUTPUT -j DROP
- When matching by group, only a user's active group is used (see below).
- You may temporarily change your active group with the newgrp command (this starts a new shell).
- You may permanently change your active group with the usermod command (see below).
To view your group memberships use the command "id".
id bodhi
uid=1000(bodhi) gid=1000(bodhi) groups=1000(bodhi),1100(net) ....
As you can see, this command shows your active group [ gid=10000 (bodhi) ]. It is this active group that is used by iptables to grant or block access.uid=1000(bodhi) gid=1000(bodhi) groups=1000(bodhi),1100(net) ....
Assuming you are restricting access to a group "net", you may temporarily change your active group to "net" with the command "newgrp".
Example:
# Ping initially fails
id bodhi
uid=1000(bodhi) gid=1000(bodhi) groups=1000(bodhi),1100(net) ....
ping -c 1 google.com
ping: unknown host google.com
# Change active group with "newgrp"
newgrp net
id
uid=1000(bodhi) gid=1100(net) groups=1000(bodhi),1100(net) ....
ping -c 1 google.com
PING google.com (74.125.95.99) 56(84) bytes of data.
64 bytes from iw-in-f99.1e100.net (74.125.95.99): icmp_seq=1 ttl=48 time=83.4 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 83ms
rtt min/avg/max/mdev = 83.434/83.434/83.434/0.000 ms
You can change your default group with usermod (or your graphical group management tool).id bodhi
uid=1000(bodhi) gid=1000(bodhi) groups=1000(bodhi),1100(net) ....
ping -c 1 google.com
ping: unknown host google.com
# Change active group with "newgrp"
newgrp net
id
uid=1000(bodhi) gid=1100(net) groups=1000(bodhi),1100(net) ....
ping -c 1 google.com
PING google.com (74.125.95.99) 56(84) bytes of data.
64 bytes from iw-in-f99.1e100.net (74.125.95.99): icmp_seq=1 ttl=48 time=83.4 ms
--- google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 83ms
rtt min/avg/max/mdev = 83.434/83.434/83.434/0.000 ms
sudo usermod -g net bodhi
You will need to log out and back in (or start a new shell) for changes to take effectby time / date
Use the time module.Syntax:
-m time --timestart HH:MM --timestop HH:MM
ex Lunch hour only
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -j DROP
Caveats: The time module works by analyzing the time stamp of locally generated packets. Thus use these rules in OUTPUT specifying either --sport or --dport.iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -m time --timestart 12:00 --timestop 13:00 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --dports 80,443 -j DROP
Blacklist / Whitelist
I use small letters for user defined chains.iptables -N blacklist
iptables -A INPUT -j blacklist
iptables -A OUTPUT -j blacklist
iptables -A blacklist -d -j DROP
iptables -A blacklist -s -j DROP
iptables -A INPUT -j blacklist
iptables -A OUTPUT -j blacklist
iptables -A blacklist -d
iptables -A blacklist -s
Use iptables to block failed connections
You will have to adjust these settings for your server. For example settings are very different for ssh, http, and samba servers.Block Brute Force attempts (SSH or other connections)
iptables -A INPUT -p tcp -m tcp --dport 22 -m tcp -m state --state NEW -m recent --set --name SSH --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Modified from:iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 600 --hitcount 8 --rttl --name SSH --rsource -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
Kevin van Zonneveld - Blog
SAMHAIR LABS
Block Brute Force attempts (http [Apache] or other connections)
# General new connection rate limiting for DOS and Brute Force protection
iptables -I INPUT -p tcp -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m limit --limit 30/minute --limit-burst 5 -j ACCEPT
Thanks to HermanAB @ Ubuntu Forums
NAT - Network Allocation Table
This section of under development.Think of NAT as using your firewall as a router (firewall = the computer we are configuring iptables on).
Typically you will use multiple interfaces, although one (or more) interfaces may be a virtual interface such as Virtualbox, VMWare, or KVM.
For a consice overview of how to set up a router see:
Stateful Firewall and Masquerading on Linux - by Werner Puschitz
For a more detailed guide see :
"Novell coolsolutions" - Simple Firewall Configuration Using NetFilter/iptables
Terminology:
DNAT - Destination Network Address Translation. Changes the destination IP of a packet.
SNAT - Source Network Address Translation. Likewise, changes the source IP of a packet.
LibreOffice
Firefox
No comments:
Post a Comment