Blocking outgoing network traffic on workstation

In the apartment I am in, there is a community open wifi to use as part of being there. Yes, I am aware of the security risks, an will be working on that next.

As too my question, at this time I dont control the router/firewall an I would like to block a port thats used for guild wars on my workstation for a while. The reason for blocking is children have abused it an lost it.

In this case I am trying to block outgoing traffic on port 6112. I have tried setting up a proxy server on the workstation, but the game seems to ignore it an jump on. Due to the environment, I enabled the workstation SuSEFirewall2 firewall an tried setting up “lo” as a internal an configure the firewall as a router, then disable 0/0 an configured for 0/0,tcp,443 an re route port 80 traffic to proxy.

When I had my own internet, I had a transparent proxy enforcing rules for access times. So setting up a proxy on each machine would not be a bad thing, even if it took some creative thinking. I am trying, but seem to be missing something.
Ideally, I would like to setup a transparent proxy, as my kids have learned alot about system administration an know to check the proxy module. If all they have to do is un check “Use Proxy” an by pass a local proxy server, then I am kinda defeated. An applications such as firefox have a proxy setting they could set to none instead of system.

Any ideas?

John

as my kids have learned alot about system administration

That is not a bad thing, but they should not have the root password :wink:

I would agree with you on both statements, but by not giving them the root password, I get bombarded with enter the password request as they have learned. An I drilled them about not logging on with root.

At this point they are getting fluent with Linux as a user desktop an learning more about administration, can get around a Mac an windows. The boys are becoming quite the Network Admins at the ages of 11 an 12.

Thanks for the comment.
John

On 09/14/2011 04:56 PM, Johnfm3 wrote:
>
> The boys are becoming quite the Network Admins at the ages of 11 an 12.

if they are able to learn network admin, then why would they be unable
to learn to follow your rules on when and how to use the machine?

let me say that a different way: given enough time they WILL figure out
how to bypass each and every barrier you throw up attempting to control
them when you can’t see them, especially if you give them the Magic
Golden Key (aka: root pass)…

so, why not just set up your machine to log who goes where and
when…and keep the golden key to yourself…

and, then hang the offenders by chains from the dungeon wall until they
learn to obey the King…

such has worked for centuries…and as an extra benefit, in the end, the
lads learn self-control…

[and, when they learn how to find and falsify the networking logs
without the root password you can put them to work cracking bank
databases and . . . ]

ymmv :slight_smile:


DD
Caveat
openSUSE®, the “German Automobiles” of operating systems

2 working parents. Need not say more. 5 kids ages 9 to 17. An they are home for a couple of hours before the first parent.

Further more, Since I know how to change the root password of a machine I don’t know complements of a How-To provided by OpenSuSE, I will just change the root password even if they had changed it. An nagios (being ran on my media server with different passwords) is informing me of who is logging on an when via txt messages to my cell. The all seeing eye knows all.

To some degree, I hope they figure this one out. But the depth of education is a bit over there head. Figure it will take a couple of years.

So, back to my issue. Does any one have any insight on this? What about setting up a dummy interface, an using pointing the default route to lo an letting the comp firewall work as a NAT? Then force a transparent proxy? The problem is as I see it, most applications dont make internet calls from localhost. So I think I need to setup a virtual network for it too communicate with which is why I am thinking of setting up firewall as a router.

All so I can block a port an over see internet access. Total over kill… LOL But like my kids, I am learning more by trying to solve these kinds of issues.

John

No need to bother with proxies and dummy interfaces and all that s***. All you need is one blocking rule in the OUTPUT chain, letting all the other packets through.

iptables -I OUTPUT -p tcp --dport 6112 -j DROP

But I don’t use SuSEfirewall2 so I don’t know how you would integrate this rule into the setup.

Will that come back after a reboot?

No, that’s why you have to integrate it into any boot time scripts provided by your system.

On Wed, 14 Sep 2011 14:56:02 +0000, Johnfm3 wrote:

> At this point they are getting fluent with Linux as a user desktop an
> learning more about administration, can get around a Mac an windows. The
> boys are becoming quite the Network Admins at the ages of 11 an 12.

You must realise, then, that any measures you put in place on the machine
are likely to be discovered and removed - especially when asking how to
implement them in a public forum, right? :wink:

It might be time to invest in an inexpensive router that you and only you
administer. Physical access to the machine with the root password means
that anything you put on that machine as a preventative measure is easily
circumvented.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Wed, 14 Sep 2011 22:22:30 +0530, Jim Henderson
<hendersj@no-mx.forums.opensuse.org> wrote:

> On Wed, 14 Sep 2011 14:56:02 +0000, Johnfm3 wrote:
>
>> At this point they are getting fluent with Linux as a user desktop an
>> learning more about administration, can get around a Mac an windows. The
>> boys are becoming quite the Network Admins at the ages of 11 an 12.
>
> You must realise, then, that any measures you put in place on the machine
> are likely to be discovered and removed - especially when asking how to
> implement them in a public forum, right? :wink:
>
> It might be time to invest in an inexpensive router that you and only you
> administer. Physical access to the machine with the root password means
> that anything you put on that machine as a preventative measure is easily
> circumvented.
>

if kids aged 9–17 have the root password and physical access, i don’t
think there’s anything you can possibly do that doesn’t involve them
agreeing to it, or be scared enough to leave it alone – like a threat of
no internet if they don’t follow.


phani.

On 09/14/2011 07:03 PM, phanisvara das wrote:

> if kids aged 9–17 have the root password and physical access, i don’t
> think there’s anything you can possibly do that doesn’t involve them
> agreeing to it

like, booting from a live CD they authored at SUSE Studio containing all
they want to have available…and bypassing all blocks to their play…


DD
openSUSE®, the “German Automobiles” of operating systems

Whats it matter if I buy or configure a wireless Router when the wifi is open at the complex. All they have to do is change networks to the complex network an bypass everything I have setup.

They dont know about the build service yet. If they get that creative to burn a live CD, as much as I am going to punish them, I will be proud telling my friends about it.
So instead of creating a script to add the iptable rule, I am thinking of setting up cron to run the command 1 time a min during the hours I dont want Guildwars to run. After that time, a simple reboot will allow it too play an cron wont run.

So it appears that the deficiency of SuSEFirewall2 is that it can not block outgoing traffic from localhost. Its great at incoming, an its nicely configurable as a NAT or a Router. But protecting outgoing traffic on a standalone workstation, it stinks. I guess I my lesson is too learn more about iptables an not rely on the firewall file.

John

Um, be careful. That iptables command appends to the OUTPUT table. So you are going to end up with a very large table all full of one rule.

You can put custom rules in one section of SuSEfirewall2 I believe.

On Wed, 14 Sep 2011 19:16:02 +0000, Johnfm3 wrote:

> Whats it matter if I buy or configure a wireless Router when the wifi is
> open at the complex. All they have to do is change networks to the
> complex network an bypass everything I have setup.

That’s a fair point.

> They dont know about the build service yet. If they get that creative
> to burn a live CD, as much as I am going to punish them, I will be proud
> telling my friends about it.

They wouldn’t need a liveCD - with the root password, they could run
single-user mode.

> So instead of creating a script to add the iptable rule, I am thinking
> of setting up cron to run the command 1 time a min during the hours I
> dont want Guildwars to run. After that time, a simple reboot will allow
> it too play an cron wont run.

You could implement a cron job to just kill the process if they start it
up - check every minute or 5 minutes for the executable, and kill -9 it.
Then tell them that if they try to run it, they might well corrupt their
saved games (possible, depending on if the kill process gets it while
it’s writing save game information out or updating data files).

> So it appears that the deficiency of SuSEFirewall2 is that it can not
> block outgoing traffic from localhost. Its great at incoming, an its
> nicely configurable as a NAT or a Router. But protecting outgoing
> traffic on a standalone workstation, it stinks. I guess I my lesson is
> too learn more about iptables an not rely on the firewall file.

There was a suggested egress rule you can implement, but generally it is
intended for ingress rather than egress.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

I am one step closer. I found when I stopped SuSEFirewall2 which flushed all the iptables entries, an entered the following in this order…

acer:/home/user # iptables -t nat -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
acer:/home/user # iptables -t nat -A OUTPUT -m owner --uid-owner 31 -j ACCEPT
acer:/home/user # iptables -t nat -A OUTPUT -m owner --uid-owner root -j ACCEPT
acer:/home/user # iptables -t nat -A OUTPUT -m owner --uid-owner squid -j ACCEPT
acer:/home/user # iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

In my hours of searches, I stumbled accross a thread which talked about creating a endless loop. Where traffic originated by the user, is forced to port 127.0.0.1:3128, the proxy makes the request on port 80, an thus the cylcle starts. His solution was to accept all request made by the account running squid. Well, I found that root is starting the squid service via rcsquid. And the service is running twice, one as root an the other as squid.

The local proxy service was forced. Further more, it was fast. What I need to do is see about starting it with SuSEFirewall2. In the custom config section, the firewall service calls a file where you can type iptables commands an it will enter them. With the firewall service running, the tables are large.

The great things if the kids decide to stop the squid proxy service, internet stops working. An if they think configuring firefox to use no proxy is going to by pass it, they are wrong. Proxy is forced transparently. An if the oldest takes her laptop to her Boyfriends, my proxy rules still apply.

I will keep you posted.
John

On Wed September 14 2011 11:46 am, ken yap wrote:

>
> No need to bother with proxies and dummy interfaces and all that s***.
> All you need is one blocking rule in the OUTPUT chain, letting all the
> other packets through.
>
> iptables -I OUTPUT -p tcp --dport 6112 -j DROP
>
> But I don’t use SuSEfirewall2 so I don’t know how you would integrate
> this rule into the setup.
>
>

Johnfm3;

You can add custom rules to SuSEfirewall2. See both of these:

/etc/sysconfig/scripts/SuSEfirewall2-custom
and
YaST-> System -> /etc/sysconfig Editor. Look under Network, Firewall,
SuSEfirewall2 and then FW_CUSTOMRULES.

Documentation is sparce at best. I can only point you in the right direction
since it has been a number of years since I actually implemented custom rules.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

So after doing more research on FW_Customrules, I found an issue. Whether done on purpose or accident, doesn’t matter.

SuSEfirewall2 and FW_CUSTOMRULES

Apparently the file /sbin/SuSEFirewall2 script has the same variable an its blank. So what ever value is entered in /etc/sysconfig/SuSEFirewall is overwritten by that an blown away.

The other thing I found is that the custom file that is entered in that variable, is to be set executable as its suppose to be a script. Not a text file for the main service to use.

After figuring all that out. I still can not sort out why it doesn’t appear to be working. I am half tempted to start that script off with iptables --flush an then just run my 5 lines. The other thing I noted is that the custom script that they offered doesn’t say anything about the nat, which is what I am working with. I need more studying.

Hoping this sites info is still relevant.
Linux Network Configuration

Thanks,
John

So the most interesting thing, the moment I shutdown SuSEfirewall2, an run the following…

iptables --flush
iptables -t nat -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
iptables -t nat -A OUTPUT -m owner --uid-owner 31 -j ACCEPT
iptables -t nat -A OUTPUT -m owner --uid-owner root -j ACCEPT
iptables -t nat -A OUTPUT -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

… everything works fine. But with SuSEfirewall2 running. Web connections fail. This is a problem as with SuSEfirewall2 down, I have no protection from the outside world when plugged into public wifi.

An I was hoping to make use of FW_CUSTOMRULES to add the change I need.

John

Adding some new rules to /etc/sysconfig/scripts/SuSEfirewall2-custom works for me. I think you are on the right track, generally. The script /sbin/SuSEfirewall2 does not overwrite your settings; it sets a default and then reads /etc/sysconfig/SuSEfirewall2. Maybe it helps to see what I did, even if I am doing something completely different, i.e. blocking inbound email from some specific IP numbers.

In /etc/sysconfig/SuSEfirewall2 I have:

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

and in /etc/sysconfig/scripts/SuSEfirewall2-custom I did modify this:

fw_custom_before_port_handling() { 
    # these rules will be loaded after the anti-spoofing and icmp handling
    # and after the input has been redirected to the input_XXX and 
    # forward_XXX chains and some basic chain-specific anti-circumvention
    # rules have been set,
    # but before any IP protocol or TCP/UDP port allow/protection rules
    # will be set.
    # You can use this hook to allow/deny certain IP protocols or TCP/UDP
    # ports before the SuSEfirewall2 generated rules are hit.
    #
    # added by vodoo:
    # a list of IP numbers to be blocked in a separate file
    BLOCKED_IP_NUMBERS=$(cat /etc/sysconfig/scripts/drop-these-ip-numbers-25 \
        | sed -e "/^#/ d" -e "s/ *#.*//")
    for BLOCKED in $BLOCKED_IP_NUMBERS ; do
        iptables -A input_ext -s $BLOCKED -p tcp --dport 25 -m state --state NEW -j DROP
    done

    true
}

Use

iptables -S

to check what has been loaded at what position.

vodoo,
I am at a bit of a loss, as am not sure what it is I am editing versus you. I am under the impression that I am editing the nat rules. Does that look correct?

ex: iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128

What is it your editing?

Does anyone have a link to a good writeup explaining the OpenSuSE implementation of SuSEFirewall2?

Thanks,
John