In article CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw@mail.gmail.com, Alexander Farber alexander.farber@gmail.com wrote:
Good morning
With iptables in CentOS 5 and 6 Linux - how can you please prevent processes running as "root", "apache" or "nobody" from initiating outgoing connections?
On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:
-A OUTPUT -m owner --uid-owner root -j DROP -A OUTPUT -m owner --uid-owner apache -j DROP -A OUTPUT -m owner --uid-owner nobody -j DROP
but unfortunately get the error:
# sudo service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad value for "--uid-owner" option: "apache" Error occurred at line: 27 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FAILED]
Perhaps it doesn't do a username lookup and only understands numeric userids? Try:
-A OUTPUT -m owner --uid-owner 0 -j DROP -A OUTPUT -m owner --uid-owner 48 -j DROP -A OUTPUT -m owner --uid-owner 99 -j DROP
(I think those values are standard on CentOS)
Bear in mind that preventing root connections would stop you doing any kind of updating using yum, unless you have a previous rule allowing http.
Cheers Tony