Thread: limit outgoing connections to certain users
View Single Post

  #3 (permalink)  
Old 04-22-2008
Nick Craig-Wood
 
Posts: n/a
Default Re: limit outgoing connections to certain users
amoroder <amoroder@sb-brixen.it> wrote:
> in our hospital we have companies that must connect to computers
> for support. We want to limit their access to certain machine, but
> we have the following problem. We can limit on the firewall to
> what machine they can connect, but when they are connected to this
> server via ssh there is no way to prevent them trying to connect to
> other machines.
>
> Is there a way to limit outgoing network trafic from a linux
> machine per user or, even better, is there a way to limit a
> outgoning connection depending from the place the ingoing ssh comes
> from ?

Assuming they login as an identifiable user / group you can use the
owner match in the OUTPUT table to limit access.

From the man page

owner
This module attempts to match various characteristics of the
packet creator, for locally-generated packets. It is only
valid in the OUTPUT chain, and even this some packets (such as
ICMP ping responses) may have no owner, and hence never match.

--uid-owner userid
Matches if the packet was created by a process with the
given effective user id.

--gid-owner groupid
Matches if the packet was created by a process with the
given effective group id.

--pid-owner processid
Matches if the packet was created by a process with the
given process id. (Please note: This option requires
kernel support that might not be available in official
Linux kernel sources or Debian's packaged Linux kernel
sources. And if support for this option is available
for the specific Linux kernel source ver- sion, that
support might not be enabled in the current Linux kernel
binary.)

--sid-owner sessionid
Matches if the packet was created by a process in the
given ses- sion group. (Please note: This option
requires kernel support that might not be available in
official Linux kernel sources or Debian's packaged Linux
kernel sources. And if support for this option is
available for the specific Linux kernel source ver-
sion, that support might not be enabled in the current
Linux kernel binary.)

--cmd-owner name
Matches if the packet was created by a process with the
given command name. (Please note: This option requires
kernel support that might not be available in official
Linux kernel sources or Debian's packaged Linux kernel
sources. And if support for this option is available
for the specific Linux kernel source ver- sion, that
support might not be enabled in the current Linux kernel
binary.)

NOTE: pid, sid and command matching are broken on SMP

--
Nick Craig-Wood <nick@craig-wood.com> -- http://www.craig-wood.com/nick
Reply With Quote