[CentOS] Block outgoing connections for certaing uids (root, apache, nobody)

Wed Apr 4 13:38:37 UTC 2012
Tris Hoar <trishoar at bgfl.org>

On 04/04/2012 10:21, Tony Mountifield wrote:
> In article<CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw at mail.gmail.com>,
> Alexander Farber<alexander.farber at gmail.com>  wrote:
>> Good morning
>>
>> With iptables in CentOS 5 and 6 Linux - how can you please
>> prevent processes running as "root", "apache" or "nobody"
>> from initiating outgoing connections?
>>
>> On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:
>>
>> -A OUTPUT -m owner --uid-owner root -j DROP
>> -A OUTPUT -m owner --uid-owner apache -j DROP
>> -A OUTPUT -m owner --uid-owner nobody -j DROP
>>
>> but unfortunately get the error:
>>
>> # sudo service iptables restart
>> iptables: Flushing firewall rules:                         [  OK  ]
>> iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
>> iptables: Unloading modules:                               [  OK  ]
>> iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad
>> value for "--uid-owner" option: "apache"
>> Error occurred at line: 27
>> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
>>                                                             [FAILED]
>
> Perhaps it doesn't do a username lookup and only understands numeric userids?
> Try:
>
> -A OUTPUT -m owner --uid-owner 0 -j DROP
> -A OUTPUT -m owner --uid-owner 48 -j DROP
> -A OUTPUT -m owner --uid-owner 99 -j DROP
>
> (I think those values are standard on CentOS)
>
> Bear in mind that preventing root connections would stop you doing any
> kind of updating using yum, unless you have a previous rule allowing http.
>
> Cheers
> Tony

This would also stop the server being able to use DNS, and would likely 
break other things. I'd be wary of stopping root talking out of the network.

Tris

*************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify postmaster at bgfl.org

The views expressed within this email are those of the 
individual, and not necessarily those of the organisation
*************************************************************