I wish to block all outgoing connections from a particular user user
after they have ssh'd into my server (running RHEL 7.4), that is, user
should not be able to ssh into/ping other servers on the network.
I initially configured the following firewall-cmd
rule, and it was working.
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -m owner --uid-owner user -j DROP
However, user
now needs to access Jupyter Notebook also running on the same server (http://localhost:8888
), but was unable to. There was an error about the websocket. Once the firewall rule above was removed, user
can access the Notebook.
I'm not sure why user
was unable to access localhost
, because I thought the rule only blocks outgoing connections.
How do I allow user
to access localhost
on any port, or a specific port range, while still blocking network access to everywhere else?
As djdomi mentioned, you'd like to add an exception before that DROP rule you already have. This could work
Place it before the rule yuo already have.
BR