0

I'm trying to mimic the Windows firewall to define rules by software.

So a software has access to internet only if started by a specific group. I can then create a .sh file for each program that I want to access internet. By following this question How to control internet access for each program? I'm trying to block all programs access internet if not started by a specific group.

  1. I created a group has-internet (I did not join this group):

sudo addgroup has-internet

  1. Restarted pc to be sure new group is well loaded

  2. Add a rule to iptables that all processes not (!) belonging to the group has-internet from using the network (use ip6tables to also prevent IPv6 traffic)

sudo iptables -A OUTPUT -m owner ! --gid-owner has-internet -j DROP

sudo ip6tables -A OUTPUT -m owner ! --gid-owner has-internet -j DROP

Execute ping somesite.xyz (can't connect GOOD! : )

Execute sudo ping somesite.xyz (can't connect GOOD! : )

Execute sudo -g has-internet ping somesite.xyz (can't connect BAD! : (

What am I doing wrong? Pls Help!!!

EDIT

I tried (just to experiment) to block the group and it works...

sudo iptables -A OUTPUT -m owner --gid-owner has-internet -j DROP

Execute sudo ping somesite.xyz (can connect)

Execute sudo -g has-internet ping somesite.xyz (can't connect)

I don't understand why this way works and the other way round doesn't.... ?

codeispoetry
  • 101
  • did you put an ALLOW rule in that permits that group outbound? Sounds like all you did was to drop access for everyone else. What's your iptables default policy for the OUTPUT chain? – Thomas Ward Mar 07 '23 at 17:20
  • CROSSPOSTED: https://unix.stackexchange.com/q/738915 - pick only ONE site and post there, do not cross post as it is considered noisy and there's overlap between Ask Ubuntu and Unix and Linux such that you don't benefit by crossposting. – Thomas Ward Mar 07 '23 at 17:21
  • Thanks Thomas, iptables default policy for the OUTPUT chain is ACCEPT and this is the only rule present. (I will delete the other post). On the other post comment you also mentioned that I should try with another user. So, if I understand, to test it, I create a new user, add new user in has-internet group and then do sudo -u newuser ping site.xyz ? (to run command as newuser, I always have to use sudo... Sorry I'm new to linux : o ! – codeispoetry Mar 07 '23 at 17:29
  • If you're new to Linux, why do you want to do this type of lockdown? I ask this because this is an advanced configuration that is going to be very difficult to get precisely correct. I only ask this because I want to know your use case/needs first, before going in-depth – Thomas Ward Mar 07 '23 at 17:32
  • As u can imagine I came from Windows. Til 8.1 windows was ok, but from 10 I don't like the direction that is taking (telemetry, forced updates...) So I'm migrating to linux. In Windows firewall you can DROP INPUT and OUTPUT and then open internet by software (i.e. firefox). It seems a nice way to avoid any program to phone home... I'm trying to mimic that scenario. – codeispoetry Mar 07 '23 at 17:36
  • A lot of migrators from Windows (I was one) look for an application-level firewall. That is not an easy thing to find / accomplish on Linux. Try searching this site for "application level firewall" for other approaches. – Organic Marble Mar 07 '23 at 21:53
  • @Organic Marble Thanks for your answer. I've 2 questions: 1) How do you protect if a program decides at one point to phone home? (I know Linux is very secure, but it could happen. In that case you are fully exposed...) 2) Anybody out there can tell me why my code doesn't work? Seems pretty basic: allow only if started from group x. It will be fantastic to know how to solve this mystery for my learning process, because it's quite a few days I'm struggling with it!! Thanks again!!! – codeispoetry Mar 08 '23 at 00:05
  • @Thomas Ward I edited my question: the other way round works... but it is not what I want to do... Pls, tell me what I'm doing wrong the more I try the less I understand... : ( – codeispoetry Mar 08 '23 at 00:14

1 Answers1

2

Well, as you seem to know already, in order to allow a list of software out you first need to set the output policy to drop everything:

sudo iptables -P OUTPUT DROP

Then consider adding a rule that would correspond to the one normally present in INPUT table, that is, accepting any sent packet if its connection is already tracked with state of RELATED or ESTABLISHED:

sudo iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Otherwise the further rules would be required to check every packet, but using conntrack for this is at least faster than checking the process owner and group each time.

Then you might desire that self-communication should be allowed. Since you've blocked everything, you'd want loopback output enabled.

sudo iptables -o lo -j ACCEPT

Past then, you do as described with creating a group, and create a rule that would filter packets sent by processes of that group, but instead of dropping the packet you accept it:

sudo iptables -A OUTPUT -m owner --gid-owner has-internet -j ACCEPT

Then you do the usual stuff of establishing save-restore for your set of iptables rules. At the very least, sudo iptables -S would do as a makeshift save, but iptables-persistent has been built for convenience.

PS: if you have IPv6 set up in your system, do the same set of commands with ip6tables.

Vesper
  • 121