Bluehost.com Web Hosting $6.95

iptables

This is a discussion on iptables within the Linux Networking forums, part of the Linux Forums category; I would like to deny a group of user (GID 1000) to send packets from the server to the outside ...


Go Back   Usenet Forums > Linux Forums > Linux Networking

Reload this Page iptables

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 09-28-2003
sinapsi
 
Posts: n/a
Default iptables
I would like to deny a group of user (GID 1000) to send packets from the
server to the outside when they connect with ssh.

My default policies are all ACCEPT.

I added this rule to avoid GID 1000 to connect anywhere from the shell:

/usr/sbin/iptables -A OUTPUT -s 0/0 -m owner --gid-owner 1000 -j REJECT

This work fine, but I would like to allow those users to connect to the
server with FTP too.
PASSIVE FTP uses highports so I changed the rules to:

/usr/sbin/iptables -A OUTPUT -p TCP -s 0/0 -m owner --gid-owner 1000 --dport
1024:65535 -j ACCEPT
/usr/sbin/iptables -A OUTPUT -s 0/0 -m owner --gid-owner 1000 -j REJECT

In this way ftp works for GID=1000 but there is the problem that users will
be able to connect from the shell to the outside using ports 1024:65535

And the firewall will be quite useless.

How can I set up the firewall rules to Deny any kind of activity from users
with GID 1000 on the server Except the FTP connection?

thanx for your help

Dopa



Reply With Quote
  #2 (permalink)  
Old 09-28-2003
Horst Knobloch
 
Posts: n/a
Default Re: iptables
sinapsi <info@zam.it> wrote:

> I would like to deny a group of user (GID 1000) to send packets from the
> server to the outside when they connect with ssh.
>
> My default policies are all ACCEPT.

It's better to have drop as policy and then explicitly allow
only certain services.


> I added this rule to avoid GID 1000 to connect anywhere from the shell:
>
> /usr/sbin/iptables -A OUTPUT -s 0/0 -m owner --gid-owner 1000 -j REJECT
>
> This work fine, but I would like to allow those users to connect to the
> server with FTP too.
[...]
> How can I set up the firewall rules to Deny any kind of activity from
> users with GID 1000 on the server Except the FTP connection?

Use FTP connection tracking and allow outgoing FTP control
connections. Something similar like:

modprobe ip_conntrack_ftp

iptables -A OUTPUT -p tcp --dport ftp -m owner --gid-owner 1000 \
--syn -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -m owner --gid-owner 1000 -j REJECT

Note, if you use NAT you need to use "modprobe ip_nat_ftp"
above.


HTH

Ciao, Horst
--
»When pings go wrong (It hurts me too)« E.Clapton/E.James/P.Tscharn
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 10:07 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0