Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

apt-get not working with iptables owner filter on debian 9

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
prahladyeri
Posts: 42
Joined: 2012-07-11 20:38
Location: India

apt-get not working with iptables owner filter on debian 9

#1 Post by prahladyeri »

Hello Folks,

I've just installed debian-9 and trying to setup the iptables so that only root is able to access the internet and nobody else. I've created the following rules for that:

Code: Select all

#allow dns
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53  -j ACCEPT

#allow http and https
iptables -A OUTPUT   -p tcp --dport 80 -m owner --gid-owner root -j ACCEPT
iptables -A OUTPUT   -p tcp --dport 443 -m owner --gid-owner root -j ACCEPT

#Set default policy to deny all traffic
iptables -P INPUT DROP
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP
The above filter holds good in general. For example, after running these rules, I'm able to successfully telnet google.com at port 80:

Code: Select all

sudo telnet google.com 80
But when I run the sudo apt-get update command, the process is stuck at 0%:

Code: Select all

0% [Connecting to debian.gtisc.gatech.edu (128.61.240.89)] [Connecting to security.debian.org (150.203.164.61)] [Connecting to prod.debian.map.fastly.net (151.101.8.20
However, when I remove the owner module setting from the rules, and just open ports 80/443 for all, then the above command works and the apt cache is updated:

Code: Select all

iptables -A OUTPUT   -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT   -p tcp --dport 443  -j ACCEPT
What could be going wrong here? Why is just apt not passing through the iptables filter and everything else passes?

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: apt-get not working with iptables owner filter on debian

#2 Post by dilberts_left_nut »

Check what user your apt process is running as.
AdrianTM wrote:There's no hacker in my grandma...

prahladyeri
Posts: 42
Joined: 2012-07-11 20:38
Location: India

Re: apt-get not working with iptables owner filter on debian

#3 Post by prahladyeri »

dilberts_left_nut wrote:Check what user your apt process is running as.
Doing "ps aux|grep sudo" returned the following when apt-get command is stuck:

Code: Select all

root      1337  0.0  0.3  55484  3676 pts/1    S+   11:38   0:00 sudo apt-get update
So, I guess its running as root only?

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: apt-get not working with iptables owner filter on debian

#4 Post by dilberts_left_nut »

AdrianTM wrote:There's no hacker in my grandma...

Post Reply