[ubuntu-hardened] iptables: restrict user, programs with 'owner' module.

daniel curtis sidetripping at gmail.com
Sun Nov 6 15:27:34 UTC 2016 

Hi,

I would like to ask a question about iptables(8) used with 'owner' module.
As we know this module attempts to match various characteristics of the
packet creator, for locally generated packets etc. Of course 'owner' module
can be used only with OUTPUT and POSTROUTING chains. In my case it's about
INPUT chain.

So, it is worth to create/use rules containing '-m owner --uid-owner'? In
such way, I can - for example - deny every applications, users to access
the internet and allow connections only for me, right? Can it be considered
as a more secure solution and some system hardening? Of course there are
programs which need an access to the internet, but... that's not a part of
this discussion.

If it is okay, and 'uid' number for user (via id(1) command) is, let say,
1000 then an iptables(8) rule should looks like:

iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --uid-owner user -j ACCEPT
iptables -A OUTPUT -j REJECT --reject-with icmp-host-prohibited

Now, as an example we will take a Firefox: with pidof(8) utility I can find
the process ID of a running program, right? So in a firewall script I
create:

FIRE_PID=`pidof firefox`
iptables -A OUTPUT -p tcp -m owner --pid-owner $FIRE_PID -j ACCEPT

Of course I have to add also a rule with 'RELATED,ESTABLISHED' directions.
And what about system updates? Is it sufficient to use such rule?:

iptables -A OUTPUT -p tcp -d security.debian.org --dport 80 -j ACCEPT

Another example: SOME_APPS only need an outbound access to UDP port # 443.
So I can restrict it to use only this port with the following iptables(8)
rule:

iptables -A OUTPUT -m owner --uid-owner SOME_APPS -p udp  --dport 443 -j
ACCEPT

According to all above - could it be treated as a more secure solution?
What is your opinion? Does someone of you benefit from such solution? If -
for example - I would like to allow outbound connections only for one user
should I use '--dport 1024:65535'? There are so many possibilities with
'owner' module.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20161106/4479ee10/attachment.html>

More information about the ubuntu-hardened mailing list