On 04/04/2012 10:21, Tony Mountifield wrote: > In article<CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw at mail.gmail.com>, > Alexander Farber<alexander.farber at gmail.com> wrote: >> Good morning >> >> With iptables in CentOS 5 and 6 Linux - how can you please >> prevent processes running as "root", "apache" or "nobody" >> from initiating outgoing connections? >> >> On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables: >> >> -A OUTPUT -m owner --uid-owner root -j DROP >> -A OUTPUT -m owner --uid-owner apache -j DROP >> -A OUTPUT -m owner --uid-owner nobody -j DROP >> >> but unfortunately get the error: >> >> # sudo service iptables restart >> iptables: Flushing firewall rules: [ OK ] >> iptables: Setting chains to policy ACCEPT: filter [ OK ] >> iptables: Unloading modules: [ OK ] >> iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad >> value for "--uid-owner" option: "apache" >> Error occurred at line: 27 >> Try `iptables-restore -h' or 'iptables-restore --help' for more information. >> [FAILED] > > Perhaps it doesn't do a username lookup and only understands numeric userids? > Try: > > -A OUTPUT -m owner --uid-owner 0 -j DROP > -A OUTPUT -m owner --uid-owner 48 -j DROP > -A OUTPUT -m owner --uid-owner 99 -j DROP > > (I think those values are standard on CentOS) > > Bear in mind that preventing root connections would stop you doing any > kind of updating using yum, unless you have a previous rule allowing http. > > Cheers > Tony This would also stop the server being able to use DNS, and would likely break other things. I'd be wary of stopping root talking out of the network. Tris ************************************************************* This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster at bgfl.org The views expressed within this email are those of the individual, and not necessarily those of the organisation *************************************************************