Want to block a local user to access a specific port or a specific ip ?
[root@test tmp]# id test
uid=503(test) gid=503(test) groups=503(test)
[root@test tmp]#
(look at uid= and gid=)
How to block a local user to access any outside ports ?
iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP(you may need to change tcp to udp or icmp and --uid-owner to other uid)
How to block a local group to access any outside ports ?
(lets find group 'users' gid by doing grep -i users /etc/group)
iptables -t filter -A OUTPUT -p tcp --match owner --gid-owner 100 -j DROP
For blocking just specific ports just add --dport port or --sport port after -p protocol
iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP
iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --gid-owner 100 -j DROP
How to block a specific range of ports ?
iptables -t filter -A OUTPUT -p tcp --dport 1:1024 --match owner --uid-owner 503 -j DROP
(you may need to change the range 1:1024 (all ports from 1 to 1024) and the uid)
How to block a specific ip destination or source or a specific class (a 256 ips class) on all protocols and ports or to specific port(s)?
destination :
iptables -t filter -A OUTPUT -d 199.9.9.9 --match owner --uid-owner 503 -j DROP
source :
iptables -t filter -A OUTPUT -s 199.9.9.9 --match owner --uid-owner 503 -j DROP
full class :
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --match owner --uid-owner 503 -j DROP
iptables -t filter -A OUTPUT -s 199.9.9.0/24 --match owner --uid-owner 503 -j DROP
specific destination or source specific ports or range :
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 6667 --match owner --uid-owner 503 -j DROP
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 1:1024 --match owner --uid-owner 503 -j DROP
(you many need to change tcp to udp or icmp and --gid-owner to other gid)
阅读(1899) | 评论(0) | 转发(0) |
