Jump to content

How to block local users ports and ips


Recommended Posts

Want to block a local user to access a specific port or a specific ip ?

linux-noob.com will help you how to do that :

 

[root@test tmp]# id test

uid=503(test) gid=503(test) groups=503(test)

[root@test tmp]#

(look at uid= and gid=)

 

How to block a local user to access any outside ports ?

iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP

(you may need to change tcp to udp or icmp and --uid-owner to other uid)

 

How to block a local group to access any outside ports ?

(lets find group 'users' gid by doing grep -i users /etc/group)

iptables -t filter -A OUTPUT -p tcp --match owner --gid-owner 100 -j DROP

 

For blocking just specific ports just add --dport port or --sport port after -p protocol

 

iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP

 

iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --gid-owner 100 -j DROP

 

How to block a specific range of ports ?

 

iptables -t filter -A OUTPUT -p tcp --dport 1:1024 --match owner --uid-owner 503 -j DROP

(you may need to change the range 1:1024 (all ports from 1 to 1024) and the uid)

 

How to block a specific ip destination or source or a specific class (a 256 ips class) on all protocols and ports or to specific port(s)?

 

destination :

iptables -t filter -A OUTPUT -d 199.9.9.9 --match owner --uid-owner 503 -j DROP

 

source :

iptables -t filter -A OUTPUT -s 199.9.9.9 --match owner --uid-owner 503 -j DROP

 

full class :

iptables -t filter -A OUTPUT -d 199.9.9.0/24 --match owner --uid-owner 503 -j DROP

iptables -t filter -A OUTPUT -s 199.9.9.0/24 --match owner --uid-owner 503 -j DROP

 

specific destination or source specific ports or range :

iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 6667 --match owner --uid-owner 503 -j DROP

iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 1:1024 --match owner --uid-owner 503 -j DROP

 

(you many need to change tcp to udp or icmp and --gid-owner to other gid)

 

(the ips and ports used here are just examples)

 

Thats all for today.

 

Greets goes out to ... linux-noob.com

Edited by KobrAs
Link to post
Share on other sites
  • 6 months later...
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...