Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1193014
  • 博文数量: 176
  • 博客积分: 3044
  • 博客等级: 中校
  • 技术积分: 2407
  • 用 户 组: 普通用户
  • 注册时间: 2006-03-25 15:04
文章分类

全部博文(176)

文章存档

2019年(5)

2018年(13)

2017年(6)

2016年(10)

2015年(11)

2014年(11)

2013年(13)

2012年(23)

2011年(25)

2010年(2)

2008年(1)

2007年(5)

2006年(51)

分类: 系统运维

2014-11-11 13:55:32

Want to block a local user to access a specific port or a specific ip ? 




[root@test tmp]# id test
uid=503(test) gid=503(test) groups=503(test) 
[root@test tmp]#
(look at uid= and gid=)


How to block a local user to access any outside ports ? 
iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP(you may need to change tcp to udp or icmp and --uid-owner to other uid)


How to block a local group to access any outside ports ?
(lets find group 'users' gid by doing grep -i users /etc/group)
iptables -t filter -A OUTPUT -p tcp --match owner --gid-owner 100 -j DROP


For blocking just specific ports just add --dport port or --sport port after -p protocol


iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --uid-owner 503 -j DROP


iptables -t filter -A OUTPUT -p tcp --dport 6667 --match owner --gid-owner 100 -j DROP


How to block a specific range of ports ? 


iptables -t filter -A OUTPUT -p tcp --dport 1:1024 --match owner --uid-owner 503 -j DROP
(you may need to change the range 1:1024 (all ports from 1 to 1024) and the uid)


How to block a specific ip destination or source or a specific class (a 256 ips class) on all protocols and ports or to specific port(s)? 


destination :
iptables -t filter -A OUTPUT -d 199.9.9.9 --match owner --uid-owner 503 -j DROP


source : 
iptables -t filter -A OUTPUT -s 199.9.9.9 --match owner --uid-owner 503 -j DROP


full class : 
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --match owner --uid-owner 503 -j DROP
iptables -t filter -A OUTPUT -s 199.9.9.0/24 --match owner --uid-owner 503 -j DROP


specific destination or source specific ports or range : 
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 6667 --match owner --uid-owner 503 -j DROP
iptables -t filter -A OUTPUT -d 199.9.9.0/24 --dport 1:1024 --match owner --uid-owner 503 -j DROP
(you many need to change tcp to udp or icmp and --gid-owner to other gid)


阅读(1290) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~