firewall that regulates programs?

Discussion in 'Linux Networking' started by Todd, Oct 8, 2014.

  1. Todd

    Todd Guest

    Hi All,

    Just out of curiosity, is there a way to get iptables or
    ]equivalent to control what programs get to outbound
    access the Internet?

    Many thanks,
    Todd, Oct 8, 2014
    1. Advertisements

  2. Todd

    Chris Davies Guest

    No, but you can control what ports (services), and sometimes protocols,
    can be accessed. So if you wanted to block SMTP to tcp/25 that could be
    done. But you cannot block exim, for example, but permit postfix.

    Chris Davies, Oct 9, 2014
    1. Advertisements

  3. Todd

    Todd Guest

    Can't tell if you are cracking a joke or are serious.
    Todd, Oct 9, 2014
  4. No. However you can control outbound port access
    But the system has no idea what program initiated the network request.
    William Unruh, Oct 10, 2014
  5. Todd

    Denis Corbin Guest

    No you may have what you need without SElinux complexity:

    Run you programs, daemons like squid proxy, user programs like ssh
    client, with appropriated user and/or group ownership
    (using sg and/or su command or making use of sudo at your convenience,
    shell alias, scripts may also help to avoid changing the way user have
    to "play"). Then have a table for each user or group you want to allow
    Internet outbound access:

    iptables -N outernet
    iptables -F outernet
    # first target for users (because more specific than for group)
    iptables -A outernet --match owner --uid-owner clamav -j out_clam
    iptables -A outernet --match owner --uid-owner squid -j out_squid
    # second targets for groups
    iptables -A outernet --match owner --gid-owner ssh -j out_ssh
    # last the catch all targets to log and drop
    iptables -A outernet -j LOG --log-prefix "Troyan activity? "
    --log-level 3 --match limit --limit-burst 10 --limit 1/hour
    iptables -A outernet -j DROP

    I will not expose what out_clam, out_ssh and other tables contain, but
    whatever, you can then add this 'outernet' table to your interface(s)
    toward Internet:

    iptables -I OUTPUT -i eth0 -j outernet

    It works pretty well here for some years now. :)

    Denis Corbin, Oct 11, 2014
  6. Todd

    Todd Guest

    Thank you!
    Todd, Oct 12, 2014
  7. Todd

    buck Guest

    I'm surprised that nobody has mentioned tcpd. To a limited extent,
    you can specify what programs are allowed using it.

    Here is my hosts.deny:
    # hosts.deny This file describes the names of the hosts which are
    # *not* allowed to use the local INET services, as
    # by the '/usr/sbin/tcpd' server.
    # Version: @(#)/etc/hosts.deny 1.00 05/28/93
    # Author: Fred N. van Kempen, <
    # End of hosts.deny.

    Here is a snip from my hosts.allow:
    # hosts.allow This file describes the names of the hosts which are
    # allowed to use the local INET services, as decided by
    # the '/usr/sbin/tcpd' server.
    # Version: @(#)/etc/hosts.allow 1.00 05/28/93
    # Author: Fred N. van Kempen, <
    # See NET3-4-HOWTO and `man 5 hosts_access'
    # Format is <service list>: <host list>[: <command>]
    # Eg `wu.ftpd,www: LOCAL' allows both ftp and www
    # Services NOT in inetd.conf are not controlled! www (above) is an
    # <service list> is the executable name and is a comma-delimited list
    # Example: telnet line below is not valid; in.telnetd is
    # <host list> may also be a comma-delimited list
    # "spawn"s below tend to be taken as parameters to the executable :{

    ALL: spawn (echo -n "Allow %d from %c at " ; date)
    buck, Oct 12, 2014
  8. How many programs use tcpd to control outbound connections?
    Richard Kettlewell, Oct 12, 2014
  9. Todd

    Chris Cox Guest

    You should be able to do this sort of thing to some extent using apparmor.
    Especially if you're an openSUSE fan.
    Chris Cox, Oct 12, 2014
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.