iptables seems to not want to block a user.
I'm using a remastered 10.04 live and Firestarter as a firewall. I've made no fundamental changes to the distro, except to update, upgrade and added this iptable line for my admin user dev:
sudo iptables -A OUTPUT -p all -m owner --uid-owner dev -j DROP
I've allowed dev, my admin, to use Firefox as another user:
gksudo -u browserUser /usr/bin/firefox
Note: The purpose of this is stop opening up browser scripts to the admin account, and instead use a clean account with no privs as a proxy.
Now, I test to see if iptables is blocking in case admin accidentally tried to connect without using another user. So I try Midori browser directly:
/usr/bin/midori
Midori launches, and connects to the internet. I'm puzzled. My iptables entry doesn't seem to work.
I added the same line I remastered with:
sudo iptables -A OUTPUT -p all -m owner --uid-owner dev -j DROP
I still am not blocked. So, I try reseting the tables:
sudo /etc/init.d/networking restart
I get output:
* Reconfiguring network interfaces...
Ignoring unknown interface wlan0=wlan0.
I try connecting again with Midori browser, and my iptable rule is still ignored.
What's happening?
The order of your rules in iptables is critical. If a packet matches an earlier rule, there is no further processing.
You are appending ( -A ) your rules to the end of the OUTPUT chain, so, my guess is the packets are accepted by an earlier rule.
If you put the rule first, with
-I OUTPUT 1, it will work.Your user case is more complex as you are using 2 tools, firestarter and iptables, to manage your firewall rules. I suggest you use one or the other, but not both.
If you would like to see your rule set, use
And if you want to use iptables to manage your firewall see
https://help.ubuntu.com/community/IptablesHowTo