SITUATION:
I recently found the following shell script that works with iptables to block all internet access to/from the linux OS, except for terminals opened that were in a group called internet:
CODE:
This might sound complicated, but it’s simple. First, create the
“internet” group like so:
sudo groupadd internet
Then, save this into a script:
#!/bin/sh # Firewall apps - only allow apps run from "internet" group to run # clear previous rules sudo iptables -F # accept packets for internet group sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT # also allow local connections sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT # reject packets for other users sudo iptables -A OUTPUT -p tcp -j REJECT # open a shell with internet access sudo -g internet -s
source: https://plus.google.com/+TobyKurien/posts/YZhZJCZmGgm
QUESTION:
Is the following interpretation of the events taking place correct?
sudo groupadd internetA group called internet is createdsudo iptables -FAll current rules in iptables are cleared-
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
I’m having trouble with this one…-A OUTPUTtells the terminal to append/add a rule, then according to the documentation-pis “The protocol of the rule or of the packet to check”, so-p tcpseems to be placing a rule that only reflects the tcp protocol, but what If I want to watch a stream on youtube/twitch? Doesudpneed to be included, and if so, how would I include it?Then there is the -m (for match). I read the documentation and I am not sure what it does. Right now, I have no idea what
-m owner --gid-owner internet -jmeans. From the comment# accept packets for internet groupI understand what the code does, but I want to understand what each element is doing in order to get to that conclusion.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Your interpretation is correct.
If you want the whole thing to also apply to UDP packets, you have to add the same set of rules once again, but with -p udp instead of -p tcp. Or just leave out this option and have the rules apply to all packets (though there could be some gotchas with ICMP packets, so it’s probably safer to just add both kinds of rules). However, you’ll need TCP in the first place to access e.g. Youtube, so even if streaming from Youtube used UDP, you wouldn’t be able to watch a stream, because you’ll never get this far.
The option -m selects which kind of match to use. You can match on lots of different criteria, and there’s even extensions to iptables (man iptables-extensions) with even matching modules. Here, -m owner selects match by ownership of packets, and --gid-owner specifies to match group ownership. So both options together mean “this rule applies only to packets that are send from someone in group internet“.
The option -j (originally “jump”) specifies what to do when the rule matches. You can jump to a different chain, or you can ACCEPT (stop processing rules and send this packet), or you can REJECT (stop processing rules and ignore this packet).
The next two rules allow packets (ACCEPT) for special destinations (-d), no matter what group the sending application is in, and the last rule drops all packets (REJECT) that didn’t match the previous rules. So it’s this last rule that does the actual blocking.
There are plenty of tutorials for iptables on the internet, google a bit and pick one you like if you want to learn more details. Some random links that I found useful in the past:
- http://developer.gauner.org/doc/iptables/images/nfk-traversal.png
- http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-7.html#ss7.2
- http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html
- http://www.iptables.info/en/iptables-targets-and-jumps.html
- https://www.frozentux.net/documents/iptables-tutorial/
- https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0