Block outgoing connections for certaing uids (root, apache, nobody)

Question

With iptables in CentOS 5 and 6 Linux - how can you please prevent processes running as root, apache or nobody from initiating outgoing connections?

On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables:

-A OUTPUT -m owner --uid-owner root -j DROP
-A OUTPUT -m owner --uid-owner apache -j DROP
-A OUTPUT -m owner --uid-owner nobody -j DROP

but unfortunately get the error:

# sudo service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad value for "--uid-owner" option: "apache"
Error occurred at line: 27
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                           [FAILED]

you can not do it using iptables. iptables only checks the ip packets , and there is no information about the uid / gid in there. iptables can only block packets by the source / destination fields, ports, ... — Goez, Apr 04 '12 at 09:00
I know that OpenBSD's pf can do it. And also there seems to be the -m owner in Linux iptables too. So maybe you're wrong? — Alexander Farber, Apr 04 '12 at 09:04
if I check my manpage, -m stands for match (module ) and not for the owner, maybe there is a module for the owner of the process, not sure. — Goez, Apr 04 '12 at 09:13
In my understanding "-m owner" says to iptables: "please load the 'owner' module, so we can do things" — Alexander Farber, Apr 04 '12 at 09:14
just checked, there is indeed a owner module. Never heard of it before. But it works with numeric id's, so he will have to alter his rule — Goez, Apr 04 '12 at 09:17

score 8 · Accepted Answer · edited Jan 02 '18 at 12:54

8

Try using the numeric UID instead of the name. For example:

-A OUTPUT -m owner --uid-owner 400 -j DROP

instead of

-A OUTPUT -m owner --uid-owner apache -j DROP

You can find the UID by typing

id user

edited Jan 02 '18 at 12:54

frogatto

103
4

answered Apr 04 '12 at 09:16

Goez

1,788
1
10
15

Block outgoing connections for certaing uids (root, apache, nobody)

1 Answers1

Linked