Re: Block outgoing connections for certaing uids (root, apache, nobody)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 04/04/2012 10:21, Tony Mountifield wrote:
> In article<CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw@xxxxxxxxxxxxxx>,
> Alexander Farber<alexander.farber@xxxxxxxxx>  wrote:
>> Good morning
>>
>> With iptables in CentOS 5 and 6 Linux - how can you please
>> prevent processes running as "root", "apache" or "nobody"
>> from initiating outgoing connections?
>>
>> On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:
>>
>> -A OUTPUT -m owner --uid-owner root -j DROP
>> -A OUTPUT -m owner --uid-owner apache -j DROP
>> -A OUTPUT -m owner --uid-owner nobody -j DROP
>>
>> but unfortunately get the error:
>>
>> # sudo service iptables restart
>> iptables: Flushing firewall rules:                         [  OK  ]
>> iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
>> iptables: Unloading modules:                               [  OK  ]
>> iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad
>> value for "--uid-owner" option: "apache"
>> Error occurred at line: 27
>> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
>>                                                             [FAILED]
>
> Perhaps it doesn't do a username lookup and only understands numeric userids?
> Try:
>
> -A OUTPUT -m owner --uid-owner 0 -j DROP
> -A OUTPUT -m owner --uid-owner 48 -j DROP
> -A OUTPUT -m owner --uid-owner 99 -j DROP
>
> (I think those values are standard on CentOS)
>
> Bear in mind that preventing root connections would stop you doing any
> kind of updating using yum, unless you have a previous rule allowing http.
>
> Cheers
> Tony

This would also stop the server being able to use DNS, and would likely 
break other things. I'd be wary of stopping root talking out of the network.

Tris

*************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmaster@xxxxxxxx

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*************************************************************

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux