Howto:User Level Firewalling

From Wiki

Jump to: navigation, search
HOWTOS edit

L2TP/IPSEC Linux-iPhoneGentoo LVM LUKSUser level Firewalling (PF, iptables)build a custom DragonFlyBSD-RELEASEĀ kernelVirtual Networking in FreeBSD Jail (bridge + nat)Roadwarrior IPSec on FreeBSDBind9 DLZ with LDAPĀ driver


TODO
Comment : firewalling at socket owner level


Contents

OpenBSD Packet Filter

pw add group netuser
pw user mod david -g netuser -G david,wheel # chage INITIAL group (socket owner)

File: /etc.pf.conf 

me="188.40.66.189"
 
# David Services
http_allowed_david="{X.X.X.X, Y.Y.Y.Y}"
mysql_allowed_david="{W.W.W.W}"
voip_allowed_david="{Z.Z.Z.Z}"
 
# Global services
svn="{X.X.X.X}"
dns="{X.X.X.X, 8.8.4.4, 8.8.8.8}"
 
#On filtre pas en entre
pass in quick
pass out quick proto tcp from any to any port ssh
 
# Netuser (global for netuser, do not block quick)
pass out quick proto udp from $me to $dns port domain group netuser
pass out quick proto tcp from $me to $svn port https group netuser
pass out quick proto icmp from $me to any icmp-type echoreq group netuser
block out group netuser
 
# David
pass out quick proto tcp from $me to $http_allowed_david port http user david
pass out quick proto tcp from $me to $mysql_allowed_david port 3306 user david
pass out quick proto udp from $me to $voip_allowed_david port 4569 user david
block out user david

Demonstration

[david@lab] $  curl -I http://www.google.fr
curl: (7) Failed to connect to 209.85.135.99: Operation not permitted
 
[david@lab] $  curl -I X.X.X.X
HTTP/1.1 302 Found

Linux Netfilter (with iptables)

addgroup netuser
usermod -g netuser -G david david

Kernel configuration

kernel menuconfig

  • Networking support
    • Networking options
      • Network packet filtering framework (Netfilter)
        • Core Netfilter Configuration
          • "owner" match support


iptables

File: iptables.sh 

DNS="X.X.X.X"
HTTP="Y.Y.Y.Y"
 
# Global
iptables -A OUTPUT -p udp --dport domain -d $DNS -m owner --gid-owner netuser -j ACCEPT
 
# Per-user : david
iptables -A OUTPUT -p tcp --dport http -d $HTTP -m owner --uid-owner david -j ACCEPT
 
# Drop other packet for user/group, and alert user with tcp-reset /  icmp-port-unreachable
iptables -A OUTPUT -p tcp -m owner --gid-owner netuser -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -m owner --gid-owner netuser -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp -m owner --uid-owner david -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -m owner --uid-owner david -j REJECT --reject-with icmp-port-unreachable

Demonstration

  • HTTP 
david@linux_lab:~$ curl -I http://www.google.fr
curl: (7) couldn't connect to host
 
david@linux_lab:~$ curl -I Y.Y.Y.Y
HTTP/1.1 302 Found
  • DNS 
host www.google.fr 188.40.66.134
Using domain server:
Name: 188.40.66.134
Address: 188.40.66.134#53
Aliases: 
www.google.fr is an alias for www.google.com.
 
host www.google.fr 8.8.4.4
[TIMEOUT]
Retrieved from "http://wiki.polymorf.fr/index.php/Howto:User_Level_Firewalling"
Personal tools