0

I'm trying to mimic the Windows firewall to define rules by software.

So a software has access to internet only if started by a specific group. I can then create a .sh file for each program that I want to access internet. By following this question How to control internet access for each program? I'm trying to block all programs access internet if not started by a specific group.

  1. I created a group has-internet (I did not join this group):

sudo addgroup has-internet

  1. Restarted pc to be sure new group is well loaded

  2. Add a rule to iptables that all processes not (!) belonging to the group has-internet from using the network (use ip6tables to also prevent IPv6 traffic)

sudo iptables -A OUTPUT -m owner ! --gid-owner has-internet -j DROP

sudo ip6tables -A OUTPUT -m owner ! --gid-owner has-internet -j DROP

Execute ping somesite.xyz (can't connect GOOD! : )

Execute sudo ping somesite.xyz (can't connect GOOD! : )

Execute sudo -g has-internet ping somesite.xyz (can't connect BAD! : (

What am I doing wrong? Pls Help!!!

EDIT

I tried (just to experiment) to block the group and it works...

sudo iptables -A OUTPUT -m owner --gid-owner has-internet -j DROP

Execute sudo ping somesite.xyz (can connect)

Execute sudo -g has-internet ping somesite.xyz (can't connect)

I don't understand why this way works and the other way round doesn't.... ?

codeispoetry
  • 101
  • 1
  • did you put an ALLOW rule in that permits that group outbound? Sounds like all you did was to *drop* access for everyone else. What's your iptables default policy for the OUTPUT chain? – Thomas Ward Mar 07 '23 at 17:20
  • CROSSPOSTED: https://unix.stackexchange.com/q/738915 - pick only ONE site and post there, do not cross post as it is considered noisy and there's overlap between Ask Ubuntu and Unix and Linux such that you don't benefit by crossposting. – Thomas Ward Mar 07 '23 at 17:21
  • Thanks Thomas, iptables default policy for the OUTPUT chain is ACCEPT and this is the only rule present. (I will delete the other post). On the other post comment you also mentioned that I should try with another user. So, if I understand, to test it, I create a new user, add new user in has-internet group and then do `sudo -u newuser ping site.xyz` ? (to run command as newuser, I always have to use sudo... Sorry I'm new to linux : o ! – codeispoetry Mar 07 '23 at 17:29
  • If you're new to Linux, why do you want to do this type of lockdown? I ask this because this is an advanced configuration that is going to be *very* difficult to get precisely correct. I only ask this because I want to know your use case/needs first, before going in-depth – Thomas Ward Mar 07 '23 at 17:32
  • As u can imagine I came from Windows. Til 8.1 windows was ok, but from 10 I don't like the direction that is taking (telemetry, forced updates...) So I'm migrating to linux. In Windows firewall you can DROP INPUT and OUTPUT and then open internet by software (i.e. firefox). It seems a nice way to avoid any program to phone home... I'm trying to mimic that scenario. – codeispoetry Mar 07 '23 at 17:36
  • A lot of migrators from Windows (I was one) look for an application-level firewall. That is not an easy thing to find / accomplish on Linux. Try searching this site for "application level firewall" for other approaches. – Organic Marble Mar 07 '23 at 21:53
  • @Organic Marble Thanks for your answer. I've 2 questions: 1) How do you protect if a program decides at one point to phone home? (I know Linux is very secure, but it could happen. In that case you are fully exposed...) 2) Anybody out there can tell me why my code doesn't work? Seems pretty basic: allow only if started from group x. It will be fantastic to know how to solve this mystery for my learning process, because it's quite a few days I'm struggling with it!! Thanks again!!! – codeispoetry Mar 08 '23 at 00:05
  • @Thomas Ward I edited my question: the other way round works... but it is not what I want to do... Pls, tell me what I'm doing wrong the more I try the less I understand... : ( – codeispoetry Mar 08 '23 at 00:14

0 Answers0