10

I know about changing owners/permissions on particular programs/files, but how can I control which users have access to the network card (NIC) or have the power to create network sockets?

Scrooge McDuck
  • 327
  • 2
  • 11
naftalimich
  • 1,145

2 Answers2

15

As described here, you can block all Internet access for certain users using this iptables command:

sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
sudo ip6tables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT

If you want this command to run automatically when the system starts up, you should add it to the end of your /etc/rc.local file.

While this won't make it impossible for those users to create sockets, it will block all outgoing traffic (like a firewall).

Scrooge McDuck
  • 327
  • 2
  • 11
Frxstrem
  • 4,231
  • 2
    how would you then reverse this command? – ubuntu_uk_user Aug 26 '15 at 16:29
  • 1
    @user2662639 Simply reboot. Unless you've added the line to /etc/rc.local, it's not persistent, and if you have, then you can just remove that line. – Frxstrem Aug 26 '15 at 16:36
  • @user2662639 (I think it's possible without rebooting but it's been three years since I wrote this answer and so I really can't remember anymore.) – Frxstrem Aug 26 '15 at 16:37
  • 1
    run this: sudo iptables -D OUTPUT -m owner --uid-owner {USERNAME} -j REJECT ||||||||| to delete the rule that you've added, notice the "-D" switch. – Artyom Dec 26 '16 at 18:01
  • 1
    @Frxstrem it would be interesting to edit the answer and include how to do it with newer versions (with systemd): what would be the simplest way instead of /etc/rc.local? (or maybe would this still work, even with systemd?) – Basj Apr 25 '20 at 14:45
  • @Basj check my answer – Scrooge McDuck Nov 11 '21 at 03:36
1

If firewalld is part of your setup, you can block network access for a specific user using a direct rule, es:

/etc/firewalld/direct.xml
‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <chain ipv="ipv4" 
         table="filter" 
         chain="restrict_user_ipv4"/>
  <rule ipv="ipv4" 
        table="filter" 
        chain="OUTPUT" 
        priority="1">-m owner --uid-owner user -j restrict_user_ipv4</rule>
  <rule ipv="ipv4" 
        table="filter" 
        chain="restrict_user_ipv4" 
        priority="3">-j DROP</rule>
  <chain ipv="ipv6" 
         table="filter" 
         chain="restrict_user_ipv6"/>
  <rule ipv="ipv6" 
        table="filter" 
        chain="OUTPUT" 
        priority="1">-m owner --uid-owner user -j restrict_user_ipv6</rule>
  <rule ipv="ipv6" 
        table="filter" 
        chain="restrict_user_ipv6" 
        priority="3">-j DROP</rule>
</direct>

Don't forget to reload with

# firewall-cmd --reload

References

Scrooge McDuck
  • 327
  • 2
  • 11
  • 1
    Big thank you! Googling half day for this. And here are my commands to block internet for a specific user but allow loopback:

    firewall-cmd --direct --permanent --add-chain ipv4 filter no_internet firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -m owner --uid-owner some-user -j no_internet firewall-cmd --direct --permanent --add-rule ipv4 filter no_internet 2 -d 127.0.0.1/32 -j ACCEPT firewall-cmd --direct --permanent --add-rule ipv4 filter no_internet 3 -j DROP firewall-cmd --reload

     – Volodymyr Krupach Jun 22 '22 at 10:48