1

I wish to block all outgoing connections from a particular user user after they have ssh'd into my server (running RHEL 7.4), that is, user should not be able to ssh into/ping other servers on the network.

I initially configured the following firewall-cmd rule, and it was working.

firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -m owner --uid-owner user -j DROP

However, user now needs to access Jupyter Notebook also running on the same server (http://localhost:8888), but was unable to. There was an error about the websocket. Once the firewall rule above was removed, user can access the Notebook.

I'm not sure why user was unable to access localhost, because I thought the rule only blocks outgoing connections.

How do I allow user to access localhost on any port, or a specific port range, while still blocking network access to everywhere else?

Rayne
  • 201
  • 2
  • 13

1 Answers1

2

As djdomi mentioned, you'd like to add an exception before that DROP rule you already have. This could work

firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -m owner --uid-owner user --dport=8888 -j ACCEPT

Place it before the rule yuo already have.

BR

Alfredo Campos Enríquez
  • 21
  • 1
  • I was wondering what exception to add. I saw an answer online where the exception added was `-o lo` to allow for local services, so I'll try that and the port like you suggested. Do you know why the DROP rule did not allow for access to the localhost? I thought it was only supposed to block outgoing connections, and access to 127.0.0.1 should still be allowed. Or is it blocking all ports, regardless of the IP (internal or not)? – Rayne Apr 01 '22 at 03:37
  • deny is deny and will impact always first. if you do not allow ita denied. thats the easiest way to explain the process and situation – djdomi Apr 02 '22 at 18:29