5

iptables seems to not want to block a user.

I'm using a remastered 10.04 live and Firestarter as a firewall. I've made no fundamental changes to the distro, except to update, upgrade and added this iptable line for my admin user dev:

sudo iptables -A OUTPUT -p all -m owner --uid-owner dev -j DROP

I've allowed dev, my admin, to use Firefox as another user:

gksudo -u browserUser /usr/bin/firefox

Note: The purpose of this is stop opening up browser scripts to the admin account, and instead use a clean account with no privs as a proxy.

Now, I test to see if iptables is blocking in case admin accidentally tried to connect without using another user. So I try Midori browser directly:

/usr/bin/midori

Midori launches, and connects to the internet. I'm puzzled. My iptables entry doesn't seem to work.

I added the same line I remastered with:

sudo iptables -A OUTPUT -p all -m owner --uid-owner dev -j DROP

I still am not blocked. So, I try reseting the tables:

sudo /etc/init.d/networking restart

I get output:

 * Reconfiguring network interfaces...
Ignoring unknown interface wlan0=wlan0.

I try connecting again with Midori browser, and my iptable rule is still ignored.

What's happening?

bambuntu
  • 991

1 Answers1

6

The order of your rules in iptables is critical. If a packet matches an earlier rule, there is no further processing.

You are appending ( -A ) your rules to the end of the OUTPUT chain, so, my guess is the packets are accepted by an earlier rule.

If you put the rule first, with -I OUTPUT 1, it will work.

sudo iptables -I OUTPUT 1 -p all -m owner --uid-owner dev -j DROP

Your user case is more complex as you are using 2 tools, firestarter and iptables, to manage your firewall rules. I suggest you use one or the other, but not both.

If you would like to see your rule set, use

sudo iptables -L -v -n

And if you want to use iptables to manage your firewall see

https://help.ubuntu.com/community/IptablesHowTo

Panther
  • 102,067
  • Thanks. I did notice after some testing firestarter and ufw both wiped the iptable slate clean and started with their own config. I'm going to have to go with iptables, because I need to block a user specifically per reason in my question. It doesn't appear ufw or firestarter supports this. – bambuntu Mar 30 '12 at 23:19
  • I'm just getting started with iptables. Thanks for the link. – bambuntu Mar 30 '12 at 23:20
  • You are most welcome. Post back with questions. – Panther Mar 30 '12 at 23:21
  • I'm learning the order you issue iptables commands are very important. I want to call these two commands: iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Which should I put first? I'm concerned the first may except everything, but instead I'd like to make sure only what I start can create connections on port 80. Does it matter? Should I just leave out the first one? – bambuntu Apr 06 '12 at 09:15
  • The order of those 2 rules is not going to matter. – Panther Apr 07 '12 at 02:11
  • I was thinking maybe the first would allow anyone trying to connect to port 80. Should I drop the first line if I only want to allow connections I have established? – bambuntu Apr 08 '12 at 06:46
  • That is what the first line does. You need the rule if you want to accept all traffic on port 80 (if you are running a http server), although If that is the case I would allow NEW traffic to port 80 first, then your established,related rule. – Panther Apr 08 '12 at 13:55