Restrict network access for specific user

coco22 · November 19, 2023, 6:24pm

Hello,

I would like to restrict network access for a specific user. I am used to configure iptables (Ubuntu), so please excuse this simple question.

How can I restrict all network access for a specific user?

First, I set the iptables rule: iptables -A OUTPUT -m owner --uid-owner 1002 -j REJECT
This blocks all network access for this user. Then I installed iptables-services and saved my iptables rules with iptables-save > /etc/sysconfig/iptables and ip6tables-save > /etc/sysconfig/ip6tables

However, after restart, the rules do net get applied automatically. I then read that Fedora is using firewalld.

Is there a simple way to block this user with firewalld or do I need to rely on iptables (and therefore do something else to make it applying my rules automatically?

vgaetera · November 19, 2023, 7:45pm

FW_UID="$(id -u test)"
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter \
    OUTPUT 0 ! -o lo -m owner --uid-owner ${FW_UID} -j REJECT
sudo firewall-cmd --permanent --direct --add-rule ipv6 filter \
    OUTPUT 0 ! -o lo -m owner --uid-owner ${FW_UID} -j REJECT
sudo firewall-cmd --reload

firewall-cmd: firewalld command line client | firewalld Commands | Man Pages | ManKier

coco22 · November 19, 2023, 8:14pm

Thank you very much! Exactly what I was looking for.

barryascott · November 19, 2023, 10:15pm

Does that only works if the firewalld backend is iptables?
Isn’t the default nftables?

vgaetera · November 19, 2023, 10:30pm

This also works for the nftables backend which is used by default.