Blocking a user group from your internal network in Linux
I recently found out that IPtables features owner matching for TCP packets. This means you can block out packets from certain groups from accessing your local network.
In my scenario, I have a Debian server beeing a physical gateway between my local network and the outside world. Now, some of my friends also has shell accounts on this box. And while I do trust them, it's nice to know they can't access all my stuff (like open smb shares) on the local network.
So how is this done? It's dead simple when you know how. Add the following iptables rule:
This will block gid 2000 from accessing the 192.168.0.* network. Obviously, change this for your own needs. Then add a group called guests or something with a matchind gid, I just added the following to /etc/group:
And ofcourse link the guest users to the guest groups. You can edit /etc/group by hand or use the following command for each of the users:
In my scenario, I have a Debian server beeing a physical gateway between my local network and the outside world. Now, some of my friends also has shell accounts on this box. And while I do trust them, it's nice to know they can't access all my stuff (like open smb shares) on the local network.
So how is this done? It's dead simple when you know how. Add the following iptables rule:
iptables -A OUTPUT -m owner --gid-owner 2000 -d 192.168.0.0/24 -j REJECT
This will block gid 2000 from accessing the 192.168.0.* network. Obviously, change this for your own needs. Then add a group called guests or something with a matchind gid, I just added the following to /etc/group:
guests:x:2000:
And ofcourse link the guest users to the guest groups. You can edit /etc/group by hand or use the following command for each of the users:
usermod -g 2000 guestusername
Labels: block, iptables, linux, owner match, security
mikeri wrote this at
6:06 PM
0 comment(s):
Post a Comment
<< Home