Jump to content
Sign in to follow this  
KobrAs

How to block local users ports and ips

Recommended Posts

Want to block a local user to access a specific port or a specific ip ?

linux-noob.com will help you how to do that :

 

[root@test tmp]# id test

uid=503(test) gid=503(test) groups=503(test)

[root@test tmp]#

(look at uid= and gid=)

 

How to block a local user to access any outside ports ?

iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP

(you may need to change tcp to udp or icmp and --uid-owner to other uid)

 

How to block a local group to access any outside ports ?

(lets find group 'users' gid by doing grep -i users /etc/group)

iptables -t filter -A OUTPUT -p tcp --match owner --gid-owner 100 -j DROP

 

For blocking just specific ports just add --dport port or --sport port after -p protocol

 

iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP

 

iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --gid-owner 100 -j DROP

 

How to block a specific range of ports ?

 

iptables -t filter -A OUTPUT -p tcp --dport 1:1024 --match owner --uid-owner 503 -j DROP

(you may need to change the range 1:1024 (all ports from 1 to 1024) and the uid)

 

How to block a specific ip destination or source or a specific class (a 256 ips class) on all protocols and ports or to specific port(s)?

 

destination :

iptables -t filter -A OUTPUT -d 199.9.9.9 --match owner --uid-owner 503 -j DROP

 

source :

iptables -t filter -A OUTPUT -s 199.9.9.9 --match owner --uid-owner 503 -j DROP

 

full class :

iptables -t filter -A OUTPUT -d 199.9.9.0/24 --match owner --uid-owner 503 -j DROP

iptables -t filter -A OUTPUT -s 199.9.9.0/24 --match owner --uid-owner 503 -j DROP

 

specific destination or source specific ports or range :

iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 6667 --match owner --uid-owner 503 -j DROP

iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 1:1024 --match owner --uid-owner 503 -j DROP

 

(you many need to change tcp to udp or icmp and --gid-owner to other gid)

 

(the ips and ports used here are just examples)

 

Thats all for today.

 

Greets goes out to ... linux-noob.com

Edited by KobrAs

Share this post


Link to post
Share on other sites

thanks Kobras great post !

 

pinned !

 

cheers

 

anyweb

Share this post


Link to post
Share on other sites

nice, proves the power of iptables

Share this post


Link to post
Share on other sites
Guest
You are commenting as a guest. If you have an account, please sign in.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×