[CentOS] Block outgoing connections for certaing uids (root, apache, nobody)
Tony Mountifield
tony at softins.co.uk
Wed Apr 4 09:21:21 UTC 2012
In article <CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw at mail.gmail.com>,
Alexander Farber <alexander.farber at gmail.com> wrote:
> Good morning
>
> With iptables in CentOS 5 and 6 Linux - how can you please
> prevent processes running as "root", "apache" or "nobody"
> from initiating outgoing connections?
>
> On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:
>
> -A OUTPUT -m owner --uid-owner root -j DROP
> -A OUTPUT -m owner --uid-owner apache -j DROP
> -A OUTPUT -m owner --uid-owner nobody -j DROP
>
> but unfortunately get the error:
>
> # sudo service iptables restart
> iptables: Flushing firewall rules: [ OK ]
> iptables: Setting chains to policy ACCEPT: filter [ OK ]
> iptables: Unloading modules: [ OK ]
> iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad
> value for "--uid-owner" option: "apache"
> Error occurred at line: 27
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
> [FAILED]
Perhaps it doesn't do a username lookup and only understands numeric userids?
Try:
-A OUTPUT -m owner --uid-owner 0 -j DROP
-A OUTPUT -m owner --uid-owner 48 -j DROP
-A OUTPUT -m owner --uid-owner 99 -j DROP
(I think those values are standard on CentOS)
Bear in mind that preventing root connections would stop you doing any
kind of updating using yum, unless you have a previous rule allowing http.
Cheers
Tony
--
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org
More information about the CentOS
mailing list