Score:0

Ubuntu

Iptables: DROP software if NOT run by a specific group (not working)

codeispoetry

3/7/24, 4:52 PM

I'm trying to mimic the Windows firewall to define rules by software.

So a software has access to internet only if started by a specific group. I can then create a .sh file for each program that I want to access internet. By following this question How to control internet access for each program? I'm trying to block all programs access internet if not started by a specific group.

I created a group has-internet (I did not join this group):

sudo addgroup has-internet

Restarted pc to be sure new group is well loaded
Add a rule to iptables that all processes not (!) belonging to the group has-internet from using the network (use ip6tables to also prevent IPv6 traffic)

sudo iptables -A OUTPUT -m owner ! --gid-owner has-internet -j DROP

sudo ip6tables -A OUTPUT -m owner ! --gid-owner has-internet -j DROP

Execute ping somesite.xyz (can't connect GOOD! : )

Execute sudo ping somesite.xyz (can't connect GOOD! : )

Execute sudo -g has-internet ping somesite.xyz (can't connect BAD! : (

What am I doing wrong? Pls Help!!!

EDIT

I tried (just to experiment) to block the group and it works...

sudo iptables -A OUTPUT -m owner --gid-owner has-internet -j DROP

Execute sudo ping somesite.xyz (can connect)

Execute sudo -g has-internet ping somesite.xyz (can't connect)

I don't understand why this way works and the other way round doesn't.... ?

0 + 8

iptables

Thomas Ward

3/7/24, 5:20 PM

did you put an ALLOW rule in that permits that group outbound? Sounds like all you did was to *drop* access for everyone else. What's your iptables default policy for the OUTPUT chain?

Thomas Ward

3/7/24, 5:21 PM

CROSSPOSTED: https://unix.stackexchange.com/q/738915 - pick only ONE site and post there, do not cross post as it is considered noisy and there's overlap between Ask Ubuntu and Unix and Linux such that you don't benefit by crossposting.

codeispoetry

3/7/24, 5:29 PM

Thanks Thomas, iptables default policy for the OUTPUT chain is ACCEPT and this is the only rule present. (I will delete the other post). On the other post comment you also mentioned that I should try with another user. So, if I understand, to test it, I create a new user, add new user in has-internet group and then do `sudo -u newuser ping site.xyz` ? (to run command as newuser, I always have to use sudo... Sorry I'm new to linux : o !

Thomas Ward

3/7/24, 5:32 PM

If you're new to Linux, why do you want to do this type of lockdown? I ask this because this is an advanced configuration that is going to be *very* difficult to get precisely correct. I only ask this because I want to know your use case/needs first, before going in-depth

codeispoetry

3/7/24, 5:36 PM

As u can imagine I came from Windows. Til 8.1 windows was ok, but from 10 I don't like the direction that is taking (telemetry, forced updates...) So I'm migrating to linux. In Windows firewall you can DROP INPUT and OUTPUT and then open internet by software (i.e. firefox). It seems a nice way to avoid any program to phone home... I'm trying to mimic that scenario.

Organic Marble

3/7/24, 9:53 PM

A lot of migrators from Windows (I was one) look for an application-level firewall. That is not an easy thing to find / accomplish on Linux. Try searching this site for "application level firewall" for other approaches.

codeispoetry

3/8/24, 12:05 AM

@Organic Marble Thanks for your answer. I've 2 questions: 1) How do you protect if a program decides at one point to phone home? (I know Linux is very secure, but it could happen. In that case you are fully exposed...) 2) Anybody out there can tell me why my code doesn't work? Seems pretty basic: allow only if started from group x. It will be fantastic to know how to solve this mystery for my learning process, because it's quite a few days I'm struggling with it!! Thanks again!!!

codeispoetry

3/8/24, 12:14 AM

@Thomas Ward I edited my question: the other way round works... but it is not what I want to do... Pls, tell me what I'm doing wrong the more I try the less I understand... : (

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Iptables: DROP software if NOT run by a specific group (not working)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.