Florent Daignière's blog

Posted 26 Jul, 2015

Application firewalling with netfilter (part 2)

Last time we've looked into how to do application firewalling with netfilter and came up with an answer whose dependencies aren't shipped by mainstream distributions just yet. Today we will find another way of doing the same thing on with the tools everyone have.

# install dependencies
sudo apt-get install sudo

# create a user called 'internet'
sudo adduser internet

# setup the firewall
sudo iptables -F OUTPUT
sudo iptables -P OUTPUT REJECT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 --syn -m owner --uid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 --syn -m owner --uid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 --syn -m owner --uid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -m owner --uid-owner internet -j ACCEPT

sudo cat > /etc/sudoers.d/internet <<EOT
Defaults env_keep+="XAUTHORITY DISPLAY"
$LOGNAME ALL=(internet) NOPASSWD: /usr/bin/iceweasel
EOT

# give access to our MIT-MAGIC-COOKIE to everyone locally (bad idea! man xauth to understand why)
chmod a+rx $HOME
chmod a+r $XAUTHORITY

# run firefox
sudo -u internet /usr/bin/iceweasel

That works... but is far from perfect. More details on why to follow in my next post.

Category: Blog
Tags: sysadmin blog

Comments