Jump to content


We use cookies to log you in, for ads and for analytics. OK

Photo

How to block local users ports and ips


2 replies to this topic

#1 KobrAs

KobrAs

    Linux-Noob Member

  • Members
  • PipPip
  • 54 posts

Posted 29 December 2004 - 09:42 AM

Want to block a local user to access a specific port or a specific ip ?
linux-noob.com will help you how to do that :

[root@test tmp]# id test
uid=503(test) gid=503(test) groups=503(test)
[root@test tmp]#
(look at uid= and gid=)

How to block a local user to access any outside ports ?
iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP
(you may need to change tcp to udp or icmp and --uid-owner to other uid)

How to block a local group to access any outside ports ?
(lets find group 'users' gid by doing grep -i users /etc/group)
iptables -t filter -A OUTPUT -p tcp --match owner --gid-owner 100 -j DROP


For blocking just specific ports just add --dport port or --sport port after -p protocol

iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP


iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --gid-owner 100 -j DROP


How to block a specific range of ports ?

iptables -t filter -A OUTPUT -p tcp --dport 1:1024 --match owner --uid-owner 503 -j DROP

(you may need to change the range 1:1024 (all ports from 1 to 1024) and the uid)

How to block a specific ip destination or source or a specific class (a 256 ips class) on all protocols and ports or to specific port(s)?

destination :
iptables -t filter -A OUTPUT -d 199.9.9.9 --match owner --uid-owner 503 -j DROP


source :
iptables -t filter -A OUTPUT -s 199.9.9.9 --match owner --uid-owner 503 -j DROP


full class :
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --match owner --uid-owner 503 -j DROP

iptables -t filter -A OUTPUT -s 199.9.9.0/24 --match owner --uid-owner 503 -j DROP


specific destination or source specific ports or range :
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 6667 --match owner --uid-owner 503 -j DROP

iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 1:1024 --match owner --uid-owner 503 -j DROP

(you many need to change tcp to udp or icmp and --gid-owner to other gid)

(the ips and ports used here are just examples)

Thats all for today.

Greets goes out to ... linux-noob.com

Edited by KobrAs, 29 December 2004 - 10:15 AM.

f u cn rd ths, u cn gt a gd jb n cmptr prgrmmng.

#2 anyweb

anyweb

    Administrator

  • Admin
  • PipPipPipPipPipPipPipPip
  • 3,694 posts

Posted 29 December 2004 - 10:37 AM

thanks Kobras great post !

pinned !

cheers

anyweb
i do windows too

#3 znx

znx

    Linux-Noob GURU

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,236 posts

Posted 07 July 2005 - 04:43 PM

nice, proves the power of iptables



Reply to this topic



  

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users