Join Log in
Score:0
Luana avatar Server

iptables block IP range user

mr flag
Luana

I'm trying to block an IP range using

iptables -A INPUT -s 185.0.0.0/8 -j DROP

This rule works perfectly but will affect all users on the network.

I want to make this happen for individual users so as not to affect everyone in general.

would like to make this block happen for a specific user using

owner --uid-owne < username >

46
1 + 3
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
I’m voting to close this question because our language is English. Please translate it or try asking in language-specific community.
0
Reply
Luana avatar
mr flag
Luana
sorry I understand the english language was a typo on my part, again a thousand apologies and thanks for the warning!
0
Reply
A.B avatar
cl flag
A.B
See also my answer in this Q/A (where I had to change the title so it means something): https://serverfault.com/questions/1138626/match-specific-users-traffic-both-in-output-and-in-input-to-use-quota-on-it , where I explain how to track the *flow* where an *output packet* 's owner was present, both ways rather than output-only. OP doesn't capitalize on it. Of course for this new problem this might not be applicable (one has to accept a packet first, to get a reply with an owner)
0
Reply
Score:1
Thomas Coche avatar Server
id flag
Thomas Coche

The owner module of Iptables can be used to filter packets based on the user who generated them. However, this only works for outgoing packets (OUTPUT). Therefore, you can't use owner to filter incoming packets (INPUT).

So if you want to block all outgoing packets from a specific user to a certain network, you can use a rule like this:

iptables -A OUTPUT -m owner --uid-owner username -d 185.0.0.0/8 -j DROP

Replace username with the username for which you want to apply the rule. This rule will block all outgoing traffic from that user to the 185.0.0.0/8 network.

If you want to apply this rule for a specific process, you can use the --pid-owner option:

iptables -A OUTPUT -m owner --pid-owner pid -d 185.0.0.0/8 -j DROP

Here, replace pid with the process ID for which you want to apply the rule.

Please note that these rules will not block incoming traffic from the user or process, and they will also not block outgoing traffic to other networks. You need to modify these or add additional rules to meet these needs.

+ 3
Luana avatar
mr flag
Luana
how can i make blocks for INPUT too? is there a simple way to do a level lock of that level for INPUT? and thank you so much for taking the time to answer my question!!
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
It is impossible to block by owner match in INPUT, because on that stage the system doesn't know is there really a listening socket on that port and who's owner of that socket. But it is enough to block in OUTPUT to achieve your goal. Users will not be able to initiate connections, and reply to incoming connections, so essentially no communication will be possible in that case.
0
Reply
Luana avatar
mr flag
Luana
yes yes with output worked as expected, thank you very much!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.