1

I typed : 

netstat -atlpvn

and noticed that applications like gedit and python had foreign addresses outside the network (the network being a single computer connected to the internet).

Is there any way for me to restrict which applications are allowed outgoing? For example I would only want firefox to have outgoing connections?

Thanks

artella
  • 959
  • 2
  • 9
  • 6

3 Answers3

3

EDIT: this solution doesn't work since kernel 2.6.14 . See Gilles comment.

You can use iptables rules in the output chain matching processes names with the --cmd-owner option. Something like:

iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m owner --cmd-owner "firefox-bin" -j ACCEPT
iptables -A OUTPUT -m owner --cmd-owner "ssh" -j ACCEPT
iptables -A OUTPUT -j DENY

With that you permit output traffic from firefox-bin, ssh and established connections.

Community
  • 1
itorres
  • 169
  • 4
  • 1
    `--cmd-owner` isn't documented or recognized on my machine. Ah, it existed, but [disappeared in kernel 2.6.14](http://www.network-builders.com/iptables-kernel-owner-module-t103044.html). – Gilles 'SO- stop being evil' Dec 28 '11 at 20:38
  • Ouch. It's been a long time since I did that for the last time. Thanks for the note, Gilles. – itorres Dec 28 '11 at 20:47
3

As far as I know, the only way to restrict Internet connectivity on an application-by-application basis is through SELinux capabilities, and it involves giving applications that must have Internet connectivity additional privileges. I doubt that giving Firefox additional privileges will contribute to security, and an application that tries to access the Internet could do it through Firefox or wget or some other “legitimate” application anyway. Furthermore, for scripts, I think you'd have to give the capabilities to the interpreter (e.g. /usr/bin/python) which doesn't discriminate in any useful way.

You can restrict Internet connectivity on a user-by-user basis; see bind software to different network interfaces and Dual network connection for examples. Or you can run applications that you don't want to grant Internet connectivity to in a lightweight virtual environment such as LXC.

Community
  • 1
Gilles 'SO- stop being evil'
  • 9,181
  • 1
  • 30
  • 48
0

You would probably need an app like LeopardFlower which allows per-application firewalling. Other than that create a separate account and launch firefox under it and use the rule like ipatbles -A OUTPUT -m owner --uid-owner 1005 -j DROP to block all traffic of that user.

Jim
  • 1
  • Hi thanks, I discovered a similar solution last night, inspired by the following article : http://unix.stackexchange.com/questions/21650/how-to-restrict-internet-access-for-a-particular-user-on-the-lan-using-iptables So basically I logged in as a different user, started firefox, and then ssh'ed into a separate account which had user restrictions as specified in the article, and used (under this restricted user profile) all the applications which I did not want to have internet access. – artella Dec 29 '11 at 18:27
  • That is once I had ssh'ed into the restricted account I typed : "sudo iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1234 -j DROP" where 1234 was the uid number of the restricted account – artella Dec 29 '11 at 18:32
  • As an extension to this, I have asked another question here : http://serverfault.com/questions/345110/running-root-script-upon-sshing-as-a-particular-user-but-not-upon-standard-log Thanks in advance for any help. – artella Dec 29 '11 at 18:54