Alexander Farber
2012-Apr-04 09:13 UTC
[CentOS] Block outgoing connections for certaing uids (root, apache, nobody)
Good morning With iptables in CentOS 5 and 6 Linux - how can you please prevent processes running as "root", "apache" or "nobody" from initiating outgoing connections? On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables: -A OUTPUT -m owner --uid-owner root -j DROP -A OUTPUT -m owner --uid-owner apache -j DROP -A OUTPUT -m owner --uid-owner nobody -j DROP but unfortunately get the error: # sudo service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad value for "--uid-owner" option: "apache" Error occurred at line: 27 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FAILED] Thank you Alex
Tony Mountifield
2012-Apr-04 09:21 UTC
[CentOS] Block outgoing connections for certaing uids (root, apache, nobody)
In article <CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw at mail.gmail.com>, Alexander Farber <alexander.farber at gmail.com> wrote:> Good morning > > With iptables in CentOS 5 and 6 Linux - how can you please > prevent processes running as "root", "apache" or "nobody" > from initiating outgoing connections? > > On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables: > > -A OUTPUT -m owner --uid-owner root -j DROP > -A OUTPUT -m owner --uid-owner apache -j DROP > -A OUTPUT -m owner --uid-owner nobody -j DROP > > but unfortunately get the error: > > # sudo service iptables restart > iptables: Flushing firewall rules: [ OK ] > iptables: Setting chains to policy ACCEPT: filter [ OK ] > iptables: Unloading modules: [ OK ] > iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad > value for "--uid-owner" option: "apache" > Error occurred at line: 27 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > [FAILED]Perhaps it doesn't do a username lookup and only understands numeric userids? Try: -A OUTPUT -m owner --uid-owner 0 -j DROP -A OUTPUT -m owner --uid-owner 48 -j DROP -A OUTPUT -m owner --uid-owner 99 -j DROP (I think those values are standard on CentOS) Bear in mind that preventing root connections would stop you doing any kind of updating using yum, unless you have a previous rule allowing http. Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org
Lamar Owen
2012-Apr-04 14:15 UTC
[CentOS] Block outgoing connections for certaing uids (root, apache, nobody)
On Wednesday, April 04, 2012 05:13:11 AM Alexander Farber wrote:> Good morning > > With iptables in CentOS 5 and 6 Linux - how can you please > prevent processes running as "root", "apache" or "nobody" > from initiating outgoing connections?This sounds more like something an SELinux rule could do better, and on a per-process basis. Now, I don't have such a rule or policy file written, but I think for this purpose SELinux is the right tool to try to use. You might have to go from the rather lenient 'targeted' policy to the rather difficult to use 'strict' policy to make it happen, though. Dan Walsh is on here, and he's the expert, so maybe he'll weigh in.
Reasonably Related Threads
- certbot stopped working on CentOS 7: pyOpenSSL module missing required functionality
- certbot stopped working on CentOS 7: pyOpenSSL module missing required functionality
- fail2ban with standard Apache log format?
- apache mysterious 404 error
- Semi-OT: fail2ban issue