Tuesday, March 3, 2020

*Security: Linux application level firewall

There are some iptables rules that are required.  They look like:
iptables -A OUTPUT -o eth0 -m owner --gid-owner other -j ACCEPT

Now the Linux iptables firewall is configured to only allow network access from applications that you have specifically started using the allownet group id.  Since this is not your primary group, you will need to manually start programs and switch the group ID if you want to allow network access.  This process basically means that only applications that you trust and have started correctly will have network access.

The easiest way to start a process as a different group id is to use the sg command.  The syntax is:
sg <group> "<command>"
Please be aware that the quotes are important, otherwise the sg command will only receive <command> up to the first space character.

If you wish to make this a bit easier to remember, you may want to create a script which you can more easily call to use to start a trusted application with network access.  Personally, I call my script allownet and it looks like this:
bash -c "sg allownet $(printf " %q" "$*")"
This is a very simple script that I have placed in /usr/local/bin - so my default path statement finds it.  Basically it takes any parameters that it receives and wraps it to look like:
sg allownet "<parameters passed to allownet>"
Now, if I want to execute an ssh command, I can simply enter:
allownet ssh
and everything should work perfectly.

We are now more protected from applications on our Linux system accessing the network without our knowledge.