Print This Post Print This Post

Put a Program to Network Limbo

Creations,Ideas

Sometimes you need to prevent network usage for some program, while preserving full functionality for all others. Here’s one quick and dirty way you can achieve this. These instructions work with Linux and iptables.

Become root.

Create the user “nonetwork” (or whatever you want to call it).

adduser --no-create-home --disabled-login nonetwork

Don’t forget to change the password:

passwd nonetwork

Just in case you forgot what’s the UID of the user (you need it next):

cat /etc/passwd | grep nonetwork

The output will be like:

network:x:1234:1234:,,,,No network.:/home/nonetwork:/bin/bash

The UID will be 1234.

Setup iptables rules (replace –uid-owner parameter with the UID) to first log the attempt, then reject the packets:

iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -j LOG
iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -j REJECT

Leave the first line (with -j LOG) out, if you don’t want logging.

Run the program “someprogram” which will not be able to access the network, under the “nonetwork” user.

su nonetwork -c ./someprogram

It might be easier to become the user first, like this:

su nonetwork
./someprogram

Do make sure the program does not have SUID bit set… :)

Note, you can view the log with e.g.:

dmesg

The instructions above prevent all traffic, including DNS resolving, PINGs etc. What if you want allow DNS resolving, and any other traffic (ICMP), but prevent all rest of the outgoing TCP and UDP attempts, and log all of them?

Note: for more detailed contents of the packages, you must use some sniffer, e.g. tcpdump.

Note: below localhost is also allowed explicitly. This could, of course, open a hole if the network-deprived program connects to a proxy program running on localhost, and instructs the proxy to connect.

Here’s the iptables commands for a more refined version:


# log all
iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -j LOG --log-prefix "Nonetwork:"
# enable DNS queries with UDP
iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -p udp --dport 53 -j ACCEPT
# allow TCP + UDP from localhost to localhost
iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -p tcp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -p udp -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# prevent TCP
iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -p tcp -j REJECT
# prevent other UDP than DNS
iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -p udp -j REJECT
# allow the rest
iptables -A OUTPUT -t filter -m owner --uid-owner 1234 -j ACCEPT

Have fun and good luck!

PS. If you find some programs segfaulting, you might need to create an empty /home/nonetwork.

posted by slinky on 15.09.07 @ 21:56 | 0 Comments

No Comments so far
Leave a comment

RSS feed for comments on this post. TrackBack URI


Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

(required)

(required)


*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word