Geek Answers Handbook

Iptables -gid-owner only works for primary user group

I am trying to disable access to IP 1.2.3.4 for all users except members of the "neta" group. This is a new group that I created just for that.

iptables -I OUTPUT -o eth0 -p tcp -d 1.2.3.4 -m owner ! --gid-owner neta -j REJECT

This disables access to 1.2.3.4 for all users, even if they are members of the "neta" group.

I have user xx and he is a member of the xx groups (main group) and neta. If I changed the rule to:

 iptables -I OUTPUT -o eth0 -p tcp -d 1.2.3.4 -m owner \! --gid-owner xx -j REJECT

all but user xx cannot access 1.2.3.4.

I added root to this xx group:

 usermod -a -G xx root

but root was still unable to access this IP address. If I add the main user group (root, xx) to the rule, everything will work as expected.

I tried to split it into two rules to be sure (and the log is rejected):

 iptables -A OUTPUT -o eth0 -p tcp -d 1.2.3.4 -m owner --gid-owner neta -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -d 1.2.3.4 -m limit --limit 2/s --limit-burst 10 -j LOG iptables -A OUTPUT -o eth0 -p tcp -d 1.2.3.4 -j REJECT

but there is no difference. Everything is rejected.

There are no other iptables rules.

 root@vm1 :~# iptables -nvL Chain INPUT (policy ACCEPT 19 packets, 1420 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 10 packets, 1720 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 1.2.3.4 owner GID match 1001 0 0 LOG tcp -- * eth0 0.0.0.0/0 1.2.3.4 limit: avg 2/sec burst 10 LOG flags 0 level 4 0 0 REJECT tcp -- * eth0 0.0.0.0/0 1.2.3.4 reject-with icmp-port-unreachable

I want to (allow) access to this IP by adding / removing users from this "neta" group instead of adding iptables rules for each user.

+4
source share
2 answers

Well, to be honest, I know little about Linux and iptables to be sure of my theory, but since I wanted to do the same for VPN here, we go.

I assume that the match is made using the process from which the packages originate, and that the linux process does not receive all user groups, but instead the process runs with one uid and one gid.

This means that you must execute the command explicitly using this particular group, otherwise the command / process is executed using the default user group.

Having written this, I wondered if there was such an opportunity. I restricted access to a specific IP range using a group VPN. It never worked. Now I have tested the following command and it works:

 sg vpn -c "ssh user@10.15.1.1 "

So, I hope my theory is correct.

+3
source

Old post, but thrilled since I ran into this exact issue on the Ubuntu 16.04.3 LTS server.

Ubuntu implementation of iptables extensions through netfilter checks the owner of the current network packet and requests only the main group ID of this user. He does not dig deeper and receives all the membership in the group. Only the primary group is compared with the value --gid-owner . He doesn't look anymore.

What the OP tried to accomplish will work if he / she changes the main / standard user group of all the corresponding user names to "neta". These users will be captured by this rule.

+1
source

More articles:


All Articles