Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

useradd -m luser

iptables -I OUTPUT 1 -m owner --uid-owner luser -j REJECT

Now log in as luser and run your browser.



This would still allow data exfiltration via DNS. It really needs to be done at the browser level.


This rule blocks all IP traffic including DNS requests.


It only blocks IPv4 traffic, so on an IPv6 enabled host it can easily be bypassed without even involving DNS. But assuming an IPv4-only host, on a system using nscd, DNS lookup is performed over a Unix socket:

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination
       23  1445 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner UID match 1007
    
    # setuidgid outtest ping -n 1 -4 google.com
    PING google.com (142.250.102.100) 56(124) bytes of data.


That's interesting. I've never used nscd, but the rule seems to work against both dnsmasq and systemd-resolved which just listen on loopback port 53.

As for IPv6 you can obviously just apply a similar rule using ip6tables (or the newer nftables, which I don't know how to use.)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: