Paranoid Penguin: Using iptables for Local Security

Mick explains how to use the owner match extension for iptables to prevent local users from violating your network's security protocols.
Miscellaneous Notes on owner Matching and Stunnel

As you can see, the uses of --uid-owner and --gid-owner are pretty straightforward. One thing I haven't mentioned yet is that both options accept names, as I've shown in the examples, or numeric IDs.

Another issue I've dodged is TCP Wrappers-style access controls. On any system that uses TCP Wrappers (or whose stunnel binary was compiled with support for libwrapper), you must add appropriate entries to /etc/hosts.allow for Stunnel to work properly, whether you run Stunnel in client mode or dæmon mode on that host. This is a good thing; rather than being one more thing capable of preventing Stunnel from working, you should think of it as another layer of your security onion.

Finally, I'm leaving it to you to tinker with --pid-owner and --sid-owner. I will give you a hint, though. Many dæmons write their parent PID in a predictable place on startup, that is, /var/run/sshd.pid. By reading such a PID file into a variable in your iptables startup script, you can match packets originating from a specific process. Good luck!

Resources

Mick Bauer (mick@visi.com) is a network security consultant for Upstream Solutions, Inc., based in Minneapolis, Minnesota. He is the author of the upcoming O'Reilly book Building Secure Servers With Linux, composer of the “Network Engineering Polka” and a proud parent (of children).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

A misteak

Christos Georgiou's picture

The code after Next, we need to allow Stunnel itself to connect to strudel: calls stunnel instead of iptables.

Also: should the very first rule for -P DROP chains be -m state --state ESTABLISHED,NEW or should it be -m state --state ESTABLISHED,RELATED? Perhaps I am mistaken, but I believe --state NEW permits all new connections.

Thank you!

Anonymous's picture

This is the first article I have read that ended up being a truly step-by-step tutorial on setting up iptables in relation to local host network/port restrictions. A while ago I noticed that iptables had started to support user/group based restrictions, but after my first attempt at setting it up, I threw it on a back burner.

Having read through your article today, I decided to try once again to implement user based restrictions. I found that by following your instructions I was able to get a similar example working on my own machine. This in turn gave me a good grasp of the commands and their usage, so my later attempt to create custom restrictions was a resounding success.

Thank you for making an easy to follow, well thought out, and well explained/summarized article.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix