Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to block local users ports and ips
#1

Want to block a local user to access a specific port or a specific ip ?

linux-noob.com will help you how to do that :

 

[root@test tmp]# id test

uid=503(test) gid=503(test) groups=503(test)

[root@test tmp]#

(look at uid= and gid=)

 

How to block a local user to access any outside ports ?



Code:
iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP




(you may need to change tcp to udp or icmp and --uid-owner to other uid)

 

How to block a local group to access any outside ports ?

(lets find group 'users' gid by doing grep -i users /etc/group)



Code:
iptables -t filter -A OUTPUT -p tcp --match owner --gid-owner 100 -j DROP




 

For blocking just specific ports just add --dport port or --sport port after -p protocol

 



Code:
iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP




 



Code:
iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --gid-owner 100 -j DROP




 

How to block a specific range of ports ?

 



Code:
iptables -t filter -A OUTPUT -p tcp --dport 1:1024 --match owner --uid-owner 503 -j DROP




(you may need to change the range 1:1024 (all ports from 1 to 1024) and the uid)

 

How to block a specific ip destination or source or a specific class (a 256 ips class) on all protocols and ports or to specific port(s)?

 

destination :



Code:
iptables -t filter -A OUTPUT -d 199.9.9.9 --match owner --uid-owner 503 -j DROP




 

source :



Code:
iptables -t filter -A OUTPUT -s 199.9.9.9 --match owner --uid-owner 503 -j DROP




 

full class :



Code:
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --match owner --uid-owner 503 -j DROP






Code:
iptables -t filter -A OUTPUT -s 199.9.9.0/24 --match owner --uid-owner 503 -j DROP




 

specific destination or source specific ports or range :



Code:
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 6667 --match owner --uid-owner 503 -j DROP






Code:
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 1:1024 --match owner --uid-owner 503 -j DROP




 

(you many need to change tcp to udp or icmp and --gid-owner to other gid)

 

(the ips and ports used here are just examples)

 

Thats all for today.

 

Greets goes out to ... linux-noob.com

Reply
#2

thanks Kobras great post !

 

pinned !

 

cheers

 

anyweb

Reply
#3
nice, proves the power of iptables
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)