On Sun, 04 Jul 2004 16:59:04 +0200, Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote:
Le dim 04/07/2004 à 15:16, Michael Frank a écrit :
Would like to block ports depending on the group in use
See owner match :
cbr@anduril:~$ iptables -m owner --help
iptables v1.2.11
[...]
OWNER match v1.2.11 options:
[!] --uid-owner userid Match local uid
[!] --gid-owner groupid Match local gid
[!] --pid-owner processid Match local pid
[!] --sid-owner sessionid Match local sid
[!] --cmd-owner name Match local command name
--gid-owner seems to satisfy your needs.
Thank you for the pointer. This works very well.
I think there is a problem though wrt ICMP requests. The following
rule allows _everyone_ to ping, but I would expect only root to be able to.
ACCEPT all -- anywhere anywhere OWNER UID match root
This rule has no effect on ICMP i am mhf and can't ping.
ACCEPT all -- anywhere anywhere OWNER UID match mhf
This is with Vanilla kernel 2.4.24. Any know issue here?
No big deal, - I should try a later kernel soon.
Here is the whole list.
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level warning prefix `ipt - Ping of Death Blocked: '
DROP icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level warning prefix `ipt - Ping of Death Blocked: '
DROP icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
syn-flood tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 10/min burst 10 LOG level alert prefix `ipt - FORWARD dropped: '
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere OWNER UID match root
ACCEPT all -- anywhere anywhere OWNER UID match mhf
ACCEPT tcp -- anywhere anywhere tcp dpt:domain OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:http OWNER GID match guest
ACCEPT tcp -- anywhere anywhere tcp dpt:8118 OWNER GID match guest
ACCEPT udp -- anywhere anywhere udp dpt:domain OWNER GID match guest
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 10/min burst 10 LOG level alert prefix `ipt - OUTPUT dropped: '
Chain syn-flood (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere limit: avg 1/sec burst 4
LOG all -- anywhere anywhere LOG level warning prefix `ipt - Blocked SYN Flood: '
DROP all -- anywhere anywhere
Any comments?
Regards
Michael
