Ich will einen User daran hindern das Internet zu betreten und ersann mir dafür folgenden Einzeiler:
iptables -A OUTPUT --match owner --uid-owner 1001 -j DROP

Was jedoch den User nochimmer nicht daran hindert ins Netz zu gelangen...

Was mache ich falsch?

Deine Angaben sind unzureichend:

Was tut der User / was wird also nicht gefiltert?
Poste den Output von "iptables -L"
Poste den Output von "ps -U 1001"
Poste den Output von "ps -aux"

Bitte alles in Code-Tags posten...

mfg
cane

Getestet habe ich es mit pings nach draußen.


# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere OWNER UID match nonet

# ps -U 1001
PID TTY TIME CMD
13502 pts/1 00:00:00 su
13505 pts/1 00:00:00 sh

# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 1568 528 ? S 17:30 0:01 init [2]
root 2 0.0 0.0 0 0 ? SN 17:30 0:00 [ksoftirqd/0]
root 3 0.0 0.0 0 0 ? S 17:30 0:00 [watchdog/0]
root 4 0.0 0.0 0 0 ? S< 17:30 0:00 [events/0]
root 5 0.0 0.0 0 0 ? S< 17:30 0:00 [khelper]
root 6 0.0 0.0 0 0 ? S< 17:30 0:00 [kthread]
root 8 0.0 0.0 0 0 ? S< 17:30 0:00 [kblockd/0]
root 9 0.0 0.0 0 0 ? S< 17:30 0:00 [kacpid]
root 127 0.0 0.0 0 0 ? S< 17:30 0:00 [aio/0]
root 126 0.0 0.0 0 0 ? S 17:30 0:01 [kswapd0]
root 714 0.0 0.0 0 0 ? S< 17:30 0:00 [kseriod]
root 1816 0.0 0.0 0 0 ? S< 17:30 0:00 [khubd]
root 1833 0.0 0.0 0 0 ? S 17:30 0:00 [khpsbpkt]
root 1851 0.0 0.0 0 0 ? S 17:30 0:00 [knodemgrd_0]
root 1949 0.0 0.0 0 0 ? S< 17:30 0:00 [reiserfs/0]
root 2184 0.0 0.2 2540 1020 ? S<s 17:30 0:00 /sbin/udevd --daemon
root 3104 0.0 0.0 0 0 ? S 17:30 0:00 [shpchpd_event]
root 3145 0.0 0.0 0 0 ? S< 17:30 0:00 [ipw2200/0]
root 3155 0.0 0.0 0 0 ? S 17:30 0:00 [pccardd]
dhcp 3482 0.0 0.1 2460 600 ? S<s 17:30 0:00 dhclient3 -pf /var/run/dhclient.eth1.pid -lf /var/lib/dhcp3/root 3494 0.0 0.0 0 0 ? S 17:30 0:00 [cifsoplockd]
root 3495 0.0 0.0 0 0 ? S 17:30 0:00 [cifsdnotifyd]
root 3499 0.1 0.0 0 0 ? S 17:30 0:15 [cifsd]
root 4214 0.0 0.3 2552 1632 ? Ss 17:30 0:00 /usr/sbin/acpid -c /etc/acpi/events -s /var/run/acpid.socketsyslog 4302 0.0 0.1 1768 676 ? Ss 17:30 0:00 /sbin/syslogd -u syslog
root 4328 0.0 0.0 1684 500 ? Ss 17:30 0:00 /bin/dd bs 1 if /proc/kmsg of /var/run/klogd/kmsg
klog 4330 0.0 0.2 2424 1352 ? Ss 17:30 0:00 /sbin/klogd -P /var/run/klogd/kmsg
104 4349 0.0 0.1 2196 876 ? Ss 17:30 0:01 /usr/bin/dbus-daemon --system
108 4364 0.0 1.0 6868 5468 ? Ss 17:30 0:02 /usr/sbin/hald
root 4365 0.0 0.1 2720 996 ? S 17:30 0:00 hald-runner
108 4370 0.0 0.1 2004 832 ? S 17:30 0:00 /usr/lib/hal/hald-addon-acpi
108 4424 0.0 0.1 2004 792 ? S 17:30 0:00 /usr/lib/hal/hald-addon-keyboard
108 4436 0.0 0.1 2008 900 ? S 17:30 0:02 /usr/lib/hal/hald-addon-storage
108 4437 0.0 0.1 2008 900 ? S 17:30 0:02 /usr/lib/hal/hald-addon-storage
root 4467 0.0 0.3 10940 1792 ? Ss 17:30 0:00 /usr/sbin/gdm
root 4468 0.0 0.5 11384 2640 ? S 17:30 0:00 /usr/sbin/gdm
root 4471 2.6 6.9 42216 35316 tty7 Ss+ 17:30 6:15 /usr/bin/X :0 -br -audit 0 -auth /var/lib/gdm/:0.Xauth -nolidnsmasq 4491 0.0 0.1 1828 684 ? S 17:30 0:00 /usr/sbin/dnsmasq -u dnsmasq
hplip 4509 0.0 0.1 12876 920 ? Ssl 17:30 0:00 /usr/sbin/hpiod
hplip 4534 0.0 0.9 9408 4684 ? S 17:31 0:00 python /usr/sbin/hpssd
cupsys 4582 0.0 0.3 4204 1888 ? Ss 17:31 0:08 /usr/sbin/cupsd
root 4649 0.0 0.0 1556 264 ? SNs 17:31 0:00 /usr/sbin/powernowd -q
root 4694 0.0 0.1 1968 708 ? Ss 17:31 0:00 hcid: processing events
root 4700 0.0 0.0 1620 456 ? Ss 17:31 0:00 /usr/sbin/sdpd
root 4709 0.0 0.0 0 0 ? S< 17:31 0:00 [krfcommd]
root 4722 0.0 0.0 1628 300 ? Ss 17:31 0:00 /sbin/mdadm -F -i /var/run/mdadm.pid -m root -f -s
daemon 4757 0.0 0.0 1804 392 ? Ss 17:31 0:00 /usr/sbin/atd
root 4770 0.0 0.1 2120 840 ? Ss 17:31 0:00 /usr/sbin/cron
root 4849 0.0 0.0 1564 496 tty1 Ss+ 17:31 0:00 /sbin/getty 38400 tty1
root 4850 0.0 0.0 1564 496 tty2 Ss+ 17:31 0:00 /sbin/getty 38400 tty2
root 4851 0.0 0.0 1564 496 tty3 Ss+ 17:31 0:00 /sbin/getty 38400 tty3
root 4852 0.0 0.0 1560 492 tty4 Ss+ 17:31 0:00 /sbin/getty 38400 tty4
root 4853 0.0 0.0 1560 492 tty5 Ss+ 17:31 0:00 /sbin/getty 38400 tty5
root 4854 0.0 0.0 1560 492 tty6 Ss+ 17:31 0:00 /sbin/getty 38400 tty6
icke 4873 0.0 2.0 20064 10272 ? Ss 17:31 0:01 /usr/bin/gnome-session
icke 4916 0.0 0.1 4332 732 ? Ss 17:31 0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session
icke 4919 0.0 0.1 2716 648 ? S 17:31 0:00 /usr/bin/dbus-launch --exit-with-session /usr/bin/gnome-sessicke 4920 0.0 0.1 2196 976 ? Ss 17:31 0:00 dbus-daemon --fork --print-pid 8 --print-address 6 --sessionicke 4922 0.0 0.8 6564 4072 ? S 17:31 0:01 /usr/lib/libgconf2-4/gconfd-2 5
icke 4925 0.0 0.1 2344 744 ? S 17:31 0:00 /usr/bin/gnome-keyring-daemon
icke 4927 0.0 0.6 6460 3116 ? Ss 17:31 0:00 /usr/lib/bonobo-activation/bonobo-activation-server --ac-acticke 4929 0.0 1.8 27716 9144 ? Sl 17:31 0:03 /usr/lib/control-center/gnome-settings-daemon --oaf-activateicke 4931 0.0 0.2 3084 1440 ? Ss 17:31 0:00 /usr/bin/esd -terminate -nobeeps -as 1 -spawnfd 18
icke 4933 0.0 0.3 3220 1568 ? SL 17:31 0:00 /usr/bin/esd -nobeeps
icke 4935 0.0 0.2 3168 1460 ? Ss 17:31 0:00 /usr/bin/esd -terminate -nobeeps -as 1 -spawnfd 18
icke 4940 0.0 0.0 2944 476 ? Ss 17:31 0:00 /usr/bin/esd -terminate -nobeeps -as 1 -spawnfd 18
icke 4942 0.2 1.9 15996 9924 ? Ss 17:31 0:33 /usr/bin/metacity --sm-client-id=default0
icke 4948 0.1 4.4 45752 22520 ? Ssl 17:31 0:24 gnome-panel --sm-client-id default1
icke 4950 0.5 6.1 85100 31068 ? Ssl 17:31 1:18 nautilus --no-default-window --sm-client-id default2
icke 4955 0.0 1.8 33992 9524 ? Ss 17:31 0:03 gnome-volume-manager --sm-client-id default4
icke 4961 0.0 2.1 19628 10660 ? Ss 17:31 0:01 update-notifier
icke 4965 0.6 1.5 46320 8028 ? Ssl 17:31 1:31 gnome-cups-icon --sm-client-id default3
icke 4970 0.0 0.7 8836 3992 ? Sl 17:31 0:00 /usr/lib/gnome-vfs-2.0/gnome-vfs-daemon --oaf-activate-iid=Oicke 4972 0.0 1.7 64912 8920 ? Sl 17:31 0:00 /usr/lib/gnome-applets/trashapplet --oaf-activate-iid=OAFIIDicke 4982 0.0 1.2 18536 6476 ? Ss 17:31 0:01 gnome-power-manager
icke 4997 0.0 0.1 2288 808 ? S 17:31 0:00 /usr/lib/nautilus-cd-burner/mapping-daemon
icke 5006 0.0 2.1 23664 10668 ? S 17:31 0:00 /usr/lib/gnome-panel/clock-applet --oaf-activate-iid=OAFIID:icke 5008 0.0 1.7 31704 8836 ? S 17:31 0:00 /usr/lib/gnome-netstatus/gnome-netstatus-applet --oaf-activaicke 5010 0.0 2.2 34540 11548 ? S 17:31 0:00 /usr/lib/gnome-applets/mixer_applet2 --oaf-activate-iid=OAFIicke 5012 0.2 1.5 17848 7752 ? S 17:31 0:37 /usr/lib/gnome-applets/multiload-applet-2 --oaf-activate-iidicke 5014 0.0 2.0 19636 10384 ? S 17:31 0:01 /usr/lib/gnome-applets/cpufreq-applet --oaf-activate-iid=OAFicke 5019 0.1 3.1 37040 16224 ? Sl 17:31 0:16 sylpheed-claws-gtk2
icke 5036 0.0 0.5 14804 2904 ? Ss 17:31 0:03 gnome-screensaver
icke 5252 0.0 2.0 30616 10204 ? S 17:38 0:05 /usr/lib/notification-daemon/notification-daemon
icke 6903 1.3 1.9 48544 9796 ? SLl 18:31 2:21 xmms file:///media/helgman/mp3/Knorkator
root 9884 0.0 0.0 0 0 ? S 19:45 0:00 [pdflush]
root 10545 0.0 0.0 0 0 ? S 19:54 0:00 [pdflush]
dhcp 12058 0.0 0.1 2460 572 ? Ss 20:38 0:00 dhclient eth1
icke 13234 1.5 2.9 47116 15016 ? Sl 21:16 0:10 gnome-terminal
icke 13235 0.0 0.1 2284 684 ? S 21:16 0:00 gnome-pty-helper
icke 13236 0.0 0.6 5760 3332 pts/0 Ss 21:16 0:00 bash
icke 13336 0.0 0.3 4212 1688 ? S 21:19 0:00 /bin/sh /usr/bin/firefox
icke 13347 0.0 0.3 4260 1720 ? S 21:19 0:00 /bin/sh /opt/firefox/run-mozilla.sh /opt/firefox/firefox-binicke 13352 3.8 7.4 135588 37952 ? Sl 21:19 0:19 /opt/firefox/firefox-bin
root 13403 0.0 0.2 3728 1212 pts/0 S 21:20 0:00 su
root 13404 0.1 0.4 4224 2076 pts/0 S 21:20 0:00 bash
icke 13476 0.1 0.6 5768 3332 pts/1 Ss 21:22 0:00 bash
nonet 13548 0.0 0.2 3732 1208 pts/1 S 21:24 0:00 su nonet
nonet 13551 0.1 0.6 5824 3400 pts/1 S+ 21:24 0:00 bash
root 13685 0.0 0.2 2432 1024 pts/0 R+ 21:27 0:00 ps aux

Ich sehe in deinen Prozessen kein "ping".

Ich habs grad getestet, es funktioniert prima:



root@cane:~# adduser test13

root@cane:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

root@cane:~# su - test13

test13@cane:~$ ping google.de
PING google.de (72.14.221.104) 56(84) bytes of data.
64 bytes from fg-in-f104.google.com (72.14.221.104): icmp_seq=1 ttl=247 time=55.6 ms

test13@cane:~$ exit

root@cane:~# cat /etc/passwd|grep test13
test13:x:1001:1001:,,,:/home/test13:/bin/bash

root@cane:~#iptables -A OUTPUT --match owner --uid-owner 1001 -j DROP

root@cane:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere OWNER UID match test13

root@cane:~# su - test13

test13@alcatraz:~$ ping google.de
ping: unknown host google.de


mfg
cane

Ich hatte den Ping mit ip Adressen versucht und da funktioniert er. Die Namensauflösung wird wie bei dir geblockt. Alles weitere was ich jetzt noch ausprobiert habe wird auch geblockt.

Warum wird der Ping an eine ip nicht geblockt?

Weil "ping" normalerweise das SUID-Bit gesetzt hat und damit als "root" ausgeführt wird.