firewall that regulates programs?

Discussion in 'Linux Networking' started by Todd, Oct 8, 2014.

  1. Todd

    Todd Guest

    Hi All,

    Just out of curiosity, is there a way to get iptables or
    ]equivalent to control what programs get to outbound
    access the Internet?

    Many thanks,
    -T
     
    Todd, Oct 8, 2014
    #1
    1. Advertisements

  2. Todd

    Chris Davies Guest

    No, but you can control what ports (services), and sometimes protocols,
    can be accessed. So if you wanted to block SMTP to tcp/25 that could be
    done. But you cannot block exim, for example, but permit postfix.

    Chris
     
    Chris Davies, Oct 9, 2014
    #2
    1. Advertisements

  3. Todd

    Todd Guest

    Can't tell if you are cracking a joke or are serious.
     
    Todd, Oct 9, 2014
    #3
  4. No. However you can control outbound port access
    But the system has no idea what program initiated the network request.
     
    William Unruh, Oct 10, 2014
    #4
  5. Todd

    Denis Corbin Guest

    No you may have what you need without SElinux complexity:

    Run you programs, daemons like squid proxy, user programs like ssh
    client, with appropriated user and/or group ownership
    (using sg and/or su command or making use of sudo at your convenience,
    shell alias, scripts may also help to avoid changing the way user have
    to "play"). Then have a table for each user or group you want to allow
    Internet outbound access:

    iptables -N outernet
    iptables -F outernet
    # first target for users (because more specific than for group)
    iptables -A outernet --match owner --uid-owner clamav -j out_clam
    iptables -A outernet --match owner --uid-owner squid -j out_squid
    [...]
    # second targets for groups
    iptables -A outernet --match owner --gid-owner ssh -j out_ssh
    [...]
    # last the catch all targets to log and drop
    iptables -A outernet -j LOG --log-prefix "Troyan activity? "
    --log-level 3 --match limit --limit-burst 10 --limit 1/hour
    --log-uid
    iptables -A outernet -j DROP

    I will not expose what out_clam, out_ssh and other tables contain, but
    whatever, you can then add this 'outernet' table to your interface(s)
    toward Internet:

    iptables -I OUTPUT -i eth0 -j outernet

    It works pretty well here for some years now. :)

    Cheers,
    Denis.
     
    Denis Corbin, Oct 11, 2014
    #5
  6. Todd

    Todd Guest

    Thank you!
     
    Todd, Oct 12, 2014
    #6
  7. Todd

    buck Guest

    I'm surprised that nobody has mentioned tcpd. To a limited extent,
    you can specify what programs are allowed using it.

    Here is my hosts.deny:
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as
    decided
    # by the '/usr/sbin/tcpd' server.
    #
    # Version: @(#)/etc/hosts.deny 1.00 05/28/93
    # Author: Fred N. van Kempen, <
    # End of hosts.deny.

    Here is a snip from my hosts.allow:
    # hosts.allow This file describes the names of the hosts which are
    # allowed to use the local INET services, as decided by
    # the '/usr/sbin/tcpd' server.
    # Version: @(#)/etc/hosts.allow 1.00 05/28/93
    # Author: Fred N. van Kempen, <
    # See NET3-4-HOWTO and `man 5 hosts_access'
    # Format is <service list>: <host list>[: <command>]
    # Eg `wu.ftpd,www: LOCAL' allows both ftp and www
    # Services NOT in inetd.conf are not controlled! www (above) is an
    example.
    # <service list> is the executable name and is a comma-delimited list
    # Example: telnet line below is not valid; in.telnetd is
    # <host list> may also be a comma-delimited list
    # "spawn"s below tend to be taken as parameters to the executable :{

    ALL: 192.168.2.127: spawn (echo -n "Allow %d from %c at " ; date)
    in.tftpd: 192.168.2.0/255.255.255.0
     
    buck, Oct 12, 2014
    #7
  8. How many programs use tcpd to control outbound connections?
     
    Richard Kettlewell, Oct 12, 2014
    #8
  9. Todd

    Chris Cox Guest

    You should be able to do this sort of thing to some extent using apparmor.
    Especially if you're an openSUSE fan.
     
    Chris Cox, Oct 12, 2014
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.