iptables rules on UID owner
From: Lone Droid (lonedroid@yahoo.fr)Date: 05/30/02
- Next message: joule: "SecuRemote VPN and Netfilter NAT"
- Previous message: Jem Berkes: "Re: Microsoft SQL server 7"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: lonedroid@yahoo.fr (Lone Droid) Date: 29 May 2002 19:44:18 -0700
Hi all,
I configured a Linux client (RedHat 7.3) on my local network
with iptables...
While browsing the newsgroups I found a rule for iptable that
logs outgoing packets according to owner (UID).
I decided to implement my own, so my firewall startup script looks
like this :
.
.
$IPT -N chck-own
$IPT -F chck-own
Vuidlist="$(awk -F: '{print $3}' /etc/passwd)"
for Vuid in $Vuidlist; do
$IPT -t filter -A chck-own -o eth0 -m owner --uid-owner $Vuid -j
RETURN
done
$IPT -t filter -A chck-own -m limit --limit 10/s \
-j LOG --log-prefix "IPT blck illegal packet owner: "
$IPT -t filter -A chck-own -j DROP
IPT -I OUTPUT -j chck-own
.
.
This is the first rule of my OUTPUT chain, so every outgoing packet
is traversing the "chck-own" rule and if it is not "emitted" by one
the users (as defined by /etc/passwd) it is discarded.
Strange thing is when I connect to a Website (be it from Mozilla or
Opera, the "problem" didn't seem to appear with Lynx), I start to see
a few packets being dropped (though most Web site are loading fine
and even the ones generating "unknow UID packets" are usually working
fine).
For example, when i connect to http://www.lemonde.fr I see this first
packet dropped by my rule :
[root@someMachine ~/] # iptables -L chck-own -v
Chain chck-own (1 references)
pkts bytes target prot in out source destination
75 3479 RETURN all any eth0 anywhere anywhere OWNERUID match root
0 0 RETURN all any eth0 anywhere anywhere OWNERUID match bin
0 0 RETURN all any eth0 anywhere anywhere OWNERUID match daemon
0 0 RETURN all any eth0 anywhere anywhere OWNERUID match adm
...
(here are a lots of other useless rules like sync, shutdown, etc.)
...
0 0 RETURN all any eth0 anywhere anywhere OWNERUID match radvd
186 14360 RETURN all any eth0 anywhere anywhere OWNERUID match fooBar
0 0 RETURN all any eth0 anywhere anywhere OWNERUID match alice
0 0 RETURN all any eth0 anywhere anywhere OWNERUID match pcap
2 618 LOG all any any anywhere anywhere limit: avg 10/sec
burst 5 LOG level warning prefix `IPT blck OWN: '
2 618 DROP all any any anywhere anywhere
and the logged packet (as seen by dmesg) :
IPT blck illegal packet owner: IN= OUT=eth0 SRC=192.168.0.12
DST=193.149.121.11 LEN=552 TOS=0x00 PREC=0x00 TTL=64 ID=21471 DF
PROTO=TCP SPT=32769 DPT=80 WINDOW=5840 RES=0x00 ACK URGP=0
resolving this IP (193.149.121.11) gives "pubs.lemonde.fr" which
is some Ad-related stuff related to the site I am browsing to
(with Mozilla and logged as user "fooBar" in this case).
Who could the "owner" of this packet be ?
I tried to track it myself but I didn't find how to force iptables to
print the "owner-uid" field of the packets. How can I track down
who originated the packet ?
Is this a good idea to only allow outgoing packets belonging to
all the "users" in /etc/passwd ?
Is this normal client behavior that, when logged as user "fooBar", the
client creates packet belonging to other "users" (ok, user "root" is
normal, as when you do a ping or a traceroute, but what other
"uid-owner"
should i expect to see ?).
Would it be better to restrict the rule to the "real" users (e.g.
root,
userOne, userTwo, etc.) or do i need to give internet access to some
"special" users ?
What are the "users" i need to allow to send outgoing packets (root,
obviously, and my users, but who else ? mail ? news ?) ?
Btw, if c.o.l.s. is not an appropriate group to ask this question,
where
should i have asked it ?
Thanks in advance...
- Next message: joule: "SecuRemote VPN and Netfilter NAT"
- Previous message: Jem Berkes: "Re: Microsoft SQL server 7"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
