# Firewall - Blocking applications[Solved]

## sunilgeo

How can I, or is it even possible to block some applications from using the network like the way it can be done in Windows? What I want to do is not block certain ports, but block certain applications from accessing any ports.Last edited by sunilgeo on Fri Nov 04, 2005 1:06 pm; edited 1 time in total

----------

## Kanniball

well, I'm almost sure you can't do it :S

but I'm not an iptables guru  :Smile: 

Try firestarter and see what you can do it with it!

----------

## MrUlterior

 *sunilgeo wrote:*   

> How can I, or is it even possible to block some applications from using the network like the way it can be done in Windows? What I want to do is not block certain ports, but block certain applications from accessing any ports.

 

Ignore Kanniball, it is quite possible, IMO there are (at least) two distinct methods and no FireStarter will not help with this scenario.

The first & easiest option is to block by the UID owning a process. Thus even on a desktop you could login as user A and "run as" applications as user B, who is permitted to send packets in/out. This way you ensure nothing nasty installed on your account is capable of sending packets anywhere. I would go this route.

The second method is you get each app to write its PID and block by PID (more on this later .. )

For both of these you'll need the "owner" target built into your kernel and modprobe'd.

I'd try something like:

```

for OWNER in sshd httpd UserB; do

    /sbin/iptables --append OUTPUT -m owner \

                        --cmd-owner "${OWNER}" --jump ACCEPT

done

# maybe put a log target here, but I've nfi how you'd log the blocked

# apps pid/uid to make it meaningful, there's got to be a way ... 

/sbin/iptables --append OUTPUT --jump DROP

```

You'll want to see the docs for the owner target, using --pid-owner it's quite easy to do the same thing via application PID's. The only hassle there is that you'd have to have configured all your apps (either internally or with a wrapper shell script) to write their PID somewhere. Then you could use FAM or anything capable of recieving kernel notifications when the contents of the directory changed in order to reparse the directory through your iptables rules-set.  Actually that's quite an interesting idea, I'm going to give it a try over the weekend ...

Here's the low down on the owner target .. 

 *Quote:*   

> 
> 
> owner
> 
> This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.
> ...

 

----------

## MrUlterior

Sweet ... use the output of the following command with --cmd-owner , that'll allow to monitor running progs or specify a list of allowed commands like in windows ..

```

# ls -al /proc/[0-9]*/exe 2>/dev/null | sed -e 's@.*/@@' | sort | uniq | grep -v 'exe'

bash

grep

ls

netserver

sed

sort

uniq

httpd

proftpd

mysqld

```

Strange that I never noticed the --cmd-owner before ...

----------

## Kanniball

Well, thanks a lot MrUlterior!

I thought it was not possible... I will test it ASAP too  :Smile: 

----------

## toralf

 *MrUlterior wrote:*   

> 
> 
> ```
> 
> ... sort | uniq ...
> ...

 

What's about

```

sort -u

```

  :Smile: ?

----------

## MrUlterior

 *toralf wrote:*   

> 
> 
> What's about
> 
> ```
> ...

 

Yea, true. I use other unices at work that don't neccesarily have gnu sort -- so no -u option, I guess that's where the habit of typing it long hand comes from.  :Smile: 

----------

## sunilgeo

 *MrUlterior wrote:*   

>  *sunilgeo wrote:*   How can I, or is it even possible to block some applications from using the network like the way it can be done in Windows? What I want to do is not block certain ports, but block certain applications from accessing any ports. 
> 
> Ignore Kanniball, it is quite possible, IMO there are (at least) two distinct methods and no FireStarter will not help with this scenario.
> 
> The first & easiest option is to block by the UID owning a process. Thus even on a desktop you could login as user A and "run as" applications as user B, who is permitted to send packets in/out. This way you ensure nothing nasty installed on your account is capable of sending packets anywhere. I would go this route.
> ...

 

Thanks MrUlterior, I went with you first suggestion. I set iptables to allow/block traffic based on UID.

----------

## Sheepdogj15

 *MrUlterior wrote:*   

>  *sunilgeo wrote:*   How can I, or is it even possible to block some applications from using the network like the way it can be done in Windows? What I want to do is not block certain ports, but block certain applications from accessing any ports. 
> 
> Ignore Kanniball, it is quite possible, IMO there are (at least) two distinct methods and no FireStarter will not help with this scenario.
> 
> The first & easiest option is to block by the UID owning a process. Thus even on a desktop you could login as user A and "run as" applications as user B, who is permitted to send packets in/out. This way you ensure nothing nasty installed on your account is capable of sending packets anywhere. I would go this route.
> ...

 

ooh ooh OOH! this looks very handy. i wonder why no one's made a script or application that does something like this.

----------

## dundas

thx MrUlterior and sheepdogj15

I'm not sure about the "owner" target, do u mean the "Owner match support" in my kernel? I did have that,  but still I'm not able to run that script like so,

```
for OWNER in sshd; do

    /sbin/iptables --append OUTPUT -m owner \

                        --cmd-owner "${OWNER}" --jump ACCEPT

done

# maybe put a log target here, but I've nfi how you'd log the blocked

# apps pid/uid to make it meaningful, there's got to be a way ...

/sbin/iptables --append OUTPUT --jump DROP 
```

it says:

```
# ./iptables-app.sh

iptables: Invalid argument
```

I tried to modify, delete and replace the user names within the script but still same....

[EDIT]

so finally I just tried sshd, while I have sshd running and a client logging in, but still.....sorry I'm new to shell script...

 :Embarassed:   :Embarassed:  any comments are welcome. thank you!

----------

## MrUlterior

 *dundas wrote:*   

> 
> 
> ```
> # ./iptables-app.sh
> 
> ...

 

What version of iptables (the binaries, not the kernel netfilter portions) do you have installed? I'd suggest re-emerging iptables to the latest release, if that doesn't help try following these instructions:

https://www.redhat.com/archives/fedora-list/2004-September/msg03425.html

However, I don't think those steps are needed; I certainly didn't use the patch-o-matic when I rebuilt my kernel.

----------

## XenoTerraCide

I'm not sure... but you may need l7 (Level 7 filter) I haven't tried any of this but I know to block application you need to use a level 7 filtering firewall.

----------

## dundas

thank you MrUlterior.

```

# eix iptables

* net-firewall/iptables

     Available versions:  1.2.11-r3 1.3.4 ~1.3.5

     Installed:           1.3.4

#also -- 2.6.15-gentoo-r1
```

I can do this now (block a certain user's tcp connection)

```
iptables -A OUTPUT -p tcp -m owner --uid-owner myuserid -j DROP
```

but, the --cmd-owner is not working, should it be a command like "/usr/sbin/sshd" or /usr/sbin/sshd ...........I'm not sure

any ideas?

that's the key point of this thread  :Smile: 

----------

## XenoTerraCide

please read this. http://l7-filter.sourceforge.net/HOWTO#Doing I think it's the closest and best your going to get.

----------

