Friday, January 14, 2011

How do you firewall Linux so that unprivileged accounts can only access the web?

I have a Debian server that allows users to log in. I don't mind them accessing the web or downloading files, but I want to otherwise restrict their internet access from that machine. How should I set up my IPTABLES or other firewall to make this work easily?

  • I would suspect you would simply block all inbound and outbound ports for the host except for ports 22 (ssh) and 80 (web). If you're using this computer for your own as well as helping out some friends learn, and require things like email, instant messeging, etc I would recommend creating a special group just for them that can only access a specific list of applications. I think you may need to specify if this is a stand alone server or a workstation for you + a server for them.

    From bobby
  • This is actually extremely tricky from a technical perspective (the network layer doesn't usually know anything about users; there is no "user" field in a network packet).

    But, Linux, being totally awesome, does have a solution for you. You'll need the iptables "owner" module, and rules along the lines of this:

    iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -o eth0 -m owner --uid-owner 500 -j DROP
    

    Where "500" is the UID of the user you'd like to block from hitting the net. The first rule just allows all outbound port 80 traffic.

    You probably need to load the owner module before this will work:

    modprobe ipt_owner

    So, add that to your rc.local file, or similar. This assumes, of course, that your system has this module installed. I don't know what package provides it on Debian. It might be in the standard iptables package.

    MarkR : Yes, the owner module can do it. You could also block outbound traffic from processes whose group id is not some group you've authorised.
    David : The owner module only works for locally generated packets, not forwarded packets. So it won't do what your claiming.
    swelljoe : OP is talking about locally generated packets, isn't he? He said "I have a Debian server that allows users to log in". I assumed that meant the users are local.
    From swelljoe
  • Another option is to configure a proxy server (Squid) somewhere that allows general anonymous internet access but requires a login to do anything else. Then block access from your server at the firewall but allow the proxy through.

    If you only have one machine, I would echo swelljoe's suggestion. Or combine the two ideas and make everything more granular if you prefer :)

    From MikeyB
  • You can use a SELinux policy for this, but unfortunately it's a bit more complicated to set it up than the iptables solution.

  • I did this once using a combination of squid and "name" - a really old linux/unix service that provides the current username. Generally speaking, name is a really really bad idea (as its unencrypted and you can modifiy it pretty easy; it's used by irc btw) but for a known set of machines, it works pretty well

    From LordT
  • Your looking for a proxy, along with iptables rules. Use iptables to restrict port access and redirect traffic to the proxy. In the proxy you filter the content you do/don't want getting through. (The owner module only works for packets created on the firewall itself, not the packets coming from your network.)

    From David

0 comments:

Post a Comment