Bind an IP to a UID?
Posted by zawk, 06-22-2008, 11:34 AM I Finally had a question worth asking so I signed up... This has been troubling me for a long time.. I know you can do this in FreeBSD with ipfw but I'm wanting to do this in linux. Basicly bind an IP address say eth0:1 to a UID or GID so that this user may only listen on that certain IP, etc. If anyone knows please do tell
Posted by simvps, 06-22-2008, 12:57 PM I'm sorry but is this server a shared server? That's you'll share this server to others? You are limiting the UID to use a specific IP or interface (like eth0:1)?
Posted by zawk, 06-22-2008, 01:06 PM This is a server running CentOS and no control panel. I don't want to be limiting one service such as http but rather restrict the entire user to the IP.
Posted by Xeentech, 06-23-2008, 01:27 AM It may be possible to have a user automatically bind to a certain IP when they make a new socket, I'm unsure though. What I know you can do is REJECT or DROP any packets too or from PIDs on their UID, and tell them to bind to their IP address them selfs. If you find a way to make it automatic could you be sure to post back here as I'm also interested in doing that.
Posted by zawk, 06-25-2008, 11:50 PM I've only been able to figure it out through iptables Here's how if anyone is interested: iptables -t filter -A OUTPUT -s 88.88.88 --match owner --uid-owner 500 -j DROP iptables -t filter -A OUTPUT -d 88.88.88 --match owner --uid-owner 500 -j DROP
Posted by Luxore, 06-27-2008, 10:46 PM Ya I think iptables is the way to go. You can either match and drop what doesn't match, or you can push traffic that would normally go out on the main interface to instead go out on the ip you assign to that user. Um, scary and disturbing thing, I read this week that raw sockets bypass iptables. I need to learn more about this.
Posted by Xous, 06-28-2008, 01:55 AM You should note that the owner target only will match OUTGOING packets from local processes. Incoming and forwarded packets are exempt.
Posted by Xeentech, 06-28-2008, 12:32 PM If this was a TCP session the SYN ACK packet would be marked with the UID, so if it was to be blocked you can stop the connection being established. If you're really serious you can use the NetQueue API to feed incoming SYN packets to a 3rd party app, which can look up in /proc who the listening socket (if any) belongs to.