Restrict local port access to a specific user

Question

I'm trying to restrict access to a particular port for a particular user on my Debian.

Let's say user's id is 1000 and port I would like to block is 5000.

I tried using iptables with the following command :

iptables -I OUTPUT -o lo -p tcp --dport 5000 --match owner --uid-owner 1000 -j DROP

It works if the user does curl 127.0.0.1:5000 or curl <machine_ip>:5000 but not if the user execute curl localhost:5000.

I don't understand why it's not working. I though localhost was converted to 127.0.0.1. What's the difference ?

In my /etc/hosts file, I have

127.0.0.1   localhost

# The following lines are desirable for IPv6 capable hosts
::1 localhost   ip6-localhost ip6-loopback

Thanks for revisiting this after all this time and the accept/upvote =} — tink, Feb 12 '20 at 18:37

tink · Accepted Answer · 2018-12-09T18:16:43.643

13

Do the same for IPv6 ... localhost resolves to both an IPv4 and IPv6 address, and v6 is preferred.

Edit 1:

ip6tables -I OUTPUT -o lo -p tcp --dport 5000 --match owner --uid-owner 1000 -j DROP

edited Dec 09 '18 at 18:16

answered Dec 09 '18 at 16:56

tink

Thanks, I suspected something like this but I don't know how to do it for ipv6... `-o lo` in my `iptables` command should do the trick no ? – Nicolas Mauti Dec 09 '18 at 17:43
Try `ip6tables -I OUTPUT -o lo -p tcp --dport 5000 --match owner --uid-owner 1000 -j DROP` ;} – tink Dec 09 '18 at 17:49
1

It seems to work, thank you very much. I didn't know about ip6tables, I thought iptable worked for v4 and v6... – Nicolas Mauti Dec 09 '18 at 18:10
No worries, you're welcome. Feel free to accept my answer ;) – tink Dec 09 '18 at 18:12
I did but I haven't enough point to make the upvote visible... :) – Nicolas Mauti Dec 09 '18 at 18:45

1 Answers1