Good morning
With iptables in CentOS 5 and 6 Linux - how can you please prevent processes running as "root", "apache" or "nobody" from initiating outgoing connections?
On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:
-A OUTPUT -m owner --uid-owner root -j DROP -A OUTPUT -m owner --uid-owner apache -j DROP -A OUTPUT -m owner --uid-owner nobody -j DROP
but unfortunately get the error:
# sudo service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad value for "--uid-owner" option: "apache" Error occurred at line: 27 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FAILED]
Thank you Alex
In article CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw@mail.gmail.com, Alexander Farber alexander.farber@gmail.com wrote:
Good morning
With iptables in CentOS 5 and 6 Linux - how can you please prevent processes running as "root", "apache" or "nobody" from initiating outgoing connections?
On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:
-A OUTPUT -m owner --uid-owner root -j DROP -A OUTPUT -m owner --uid-owner apache -j DROP -A OUTPUT -m owner --uid-owner nobody -j DROP
but unfortunately get the error:
# sudo service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad value for "--uid-owner" option: "apache" Error occurred at line: 27 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FAILED]
Perhaps it doesn't do a username lookup and only understands numeric userids? Try:
-A OUTPUT -m owner --uid-owner 0 -j DROP -A OUTPUT -m owner --uid-owner 48 -j DROP -A OUTPUT -m owner --uid-owner 99 -j DROP
(I think those values are standard on CentOS)
Bear in mind that preventing root connections would stop you doing any kind of updating using yum, unless you have a previous rule allowing http.
Cheers Tony
On 04/04/2012 10:21, Tony Mountifield wrote:
In articleCAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw@mail.gmail.com, Alexander Farberalexander.farber@gmail.com wrote:
Good morning
With iptables in CentOS 5 and 6 Linux - how can you please prevent processes running as "root", "apache" or "nobody" from initiating outgoing connections?
On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:
-A OUTPUT -m owner --uid-owner root -j DROP -A OUTPUT -m owner --uid-owner apache -j DROP -A OUTPUT -m owner --uid-owner nobody -j DROP
but unfortunately get the error:
# sudo service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad value for "--uid-owner" option: "apache" Error occurred at line: 27 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FAILED]
Perhaps it doesn't do a username lookup and only understands numeric userids? Try:
-A OUTPUT -m owner --uid-owner 0 -j DROP -A OUTPUT -m owner --uid-owner 48 -j DROP -A OUTPUT -m owner --uid-owner 99 -j DROP
(I think those values are standard on CentOS)
Bear in mind that preventing root connections would stop you doing any kind of updating using yum, unless you have a previous rule allowing http.
Cheers Tony
This would also stop the server being able to use DNS, and would likely break other things. I'd be wary of stopping root talking out of the network.
Tris
************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@bgfl.org
The views expressed within this email are those of the individual, and not necessarily those of the organisation *************************************************************
On Wednesday, April 04, 2012 05:13:11 AM Alexander Farber wrote:
Good morning
With iptables in CentOS 5 and 6 Linux - how can you please prevent processes running as "root", "apache" or "nobody" from initiating outgoing connections?
This sounds more like something an SELinux rule could do better, and on a per-process basis.
Now, I don't have such a rule or policy file written, but I think for this purpose SELinux is the right tool to try to use. You might have to go from the rather lenient 'targeted' policy to the rather difficult to use 'strict' policy to make it happen, though.
Dan Walsh is on here, and he's the expert, so maybe he'll weigh in.
Yep, I've locked out myself out of the dedicated server today.
The numeric uids work, thank you.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/04/2012 10:15 AM, Lamar Owen wrote:
On Wednesday, April 04, 2012 05:13:11 AM Alexander Farber wrote:
Good morning
With iptables in CentOS 5 and 6 Linux - how can you please prevent processes running as "root", "apache" or "nobody" from initiating outgoing connections?
This sounds more like something an SELinux rule could do better, and on a per-process basis.
Now, I don't have such a rule or policy file written, but I think for this purpose SELinux is the right tool to try to use. You might have to go from the rather lenient 'targeted' policy to the rather difficult to use 'strict' policy to make it happen, though.
Dan Walsh is on here, and he's the expert, so maybe he'll weigh in. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Very difficult to do, especially if you are talking about administrators running as root. If you want to allow everything except connection to the network, you will not stop a determined admin. Now we can block the apache process from connecting to the network. If you want to run confined admins we can also control them, but it is not easy.
-
Alexander Farber -
Daniel J Walsh -
Lamar Owen -
tony@softins.co.uk -
Tris Hoar