How to make per process firewall ?

How to make per process firewall ?

[Lev Olshvang]

An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170418/3781c7ac/attachment.html 

How to make per process firewall ?

[Daniel.]

I think docker or lxc may help you. You run the process(es) in a container
and attach a tap interface to the container, the process inside the
container can only see the attached interface.

Regards,

2017-04-18 4:28 GMT-03:00 Lev Olshvang <levonshe@yandex.com>:

> Hi all,
>
> I would like to constrain process (by name) or group of process to
> specific network interface and to specific port.
>
> Please advice if there is some cgroups controller or netfilter module?
>
> ThanX, Lev
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
>


-- 
?If you're going to try, go all the way. Otherwise, don't even start. ..."
  Charles Bukowski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170418/e3c1a0e7/attachment.html 

How to make per process firewall ?

[valdis.kletnieks at vt.edu]

On Tue, 18 Apr 2017 10:28:20 +0300, Lev Olshvang said:

> I would like to constrain process (by name) or group of process to specific
> network interface and to specific port.

Let's take a step back.  What problem are you trying to solve by constraining
the processes?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20170418/887dc100/attachment.bin 

How to make per process firewall ?

[Stephen Brennan]

> I would like to constrain process (by name) or group of process to specific
> network interface and to specific port.

This sounds like an excellent use-case for network namespaces [1]. They create
an entire virtualized network stack within the kernel. This includes everything
from network devices all the way up to firewall rules. You may create and
administer namespaces using ip-netns(8). Alternatively, you can simply create
a new one when you clone(2), by providing CLONE_NEWNET argument.

You can run commands that affect namespaces created by ip-netns(8) using
`ip netns exec`. If you didn't create a namespace with ip-netns, you can still
run commands within any process's namespace via the nsenter(1) command, provided
by util-linux. If you don't have that command (due to outdated util-linux), you
can implement your own in less than 20 lines of C using the setns(2) system
call. The manual page even provides a full implementation.

In summary, the easiest way, with ip-netns(8), would be:

    ip netns add blue

    ip netns exec blue iptables -nvL
    # an empty firewall

    ip netns exec blue ip link
    # just a loopback

    # You'll likely want to create a veth pair, add one end to the "blue" netns,
    # and then set up routes. You'll have a separate IP address within the
    # netns, but I don't believe there's any way around that.

    ip netns exec blue iptables -A # your rule here

    ip netns exec blue YOUR-PROGRAMS

Note that this is how Linux containers (e.g. Docker, LXC) work anyway, however,
they virtualize other components of the kernel too (filesystem, process IDs, and
much more). If all you want is to virtualize network resources, network
namespaces are a more direct way to do this than containers, which will
virtualize the rest as well.

ALTERNATIVE [2]:

You can apparently create iptables rules which match based on PID (not a great
idea) or by UID/GID (a much better idea). If the overhead of network namespaces
(veth pairs, new IPs, creating routes) is too much, you could create a user and
run your processes as this user. Then create iptables rules that match based on
the user. You do this with the "owner" module, and you can check whether it
exists on your system by running:

    iptables -m owner

[1]: https://lwn.net/Articles/580893/
[1]: also `man 7 namespaces`
[2]: http://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service

How to make per process firewall ?

[Joe Smith]

On Wed, Apr 19, 2017 at 9:58 AM, Stephen Brennan <stephen@brennan.io> wrote:
>> I would like to constrain process (by name) or group of process to specific
>> network interface and to specific port.
>
> This sounds like an excellent use-case for network namespaces [1]. They create
> an entire virtualized network stack within the kernel. This includes everything
> from network devices all the way up to firewall rules. You may create and
> administer namespaces using ip-netns(8). Alternatively, you can simply create
> a new one when you clone(2), by providing CLONE_NEWNET argument.
>
> You can run commands that affect namespaces created by ip-netns(8) using
> `ip netns exec`. If you didn't create a namespace with ip-netns, you can still
> run commands within any process's namespace via the nsenter(1) command, provided
> by util-linux. If you don't have that command (due to outdated util-linux), you
> can implement your own in less than 20 lines of C using the setns(2) system
> call. The manual page even provides a full implementation.
>
> In summary, the easiest way, with ip-netns(8), would be:
>
>     ip netns add blue
>
>     ip netns exec blue iptables -nvL
>     # an empty firewall
>
>     ip netns exec blue ip link
>     # just a loopback
>
>     # You'll likely want to create a veth pair, add one end to the "blue" netns,
>     # and then set up routes. You'll have a separate IP address within the
>     # netns, but I don't believe there's any way around that.
>
>     ip netns exec blue iptables -A # your rule here
>
>     ip netns exec blue YOUR-PROGRAMS
>
> Note that this is how Linux containers (e.g. Docker, LXC) work anyway, however,
> they virtualize other components of the kernel too (filesystem, process IDs, and
> much more). If all you want is to virtualize network resources, network
> namespaces are a more direct way to do this than containers, which will
> virtualize the rest as well.
>
> ALTERNATIVE [2]:
>
> You can apparently create iptables rules which match based on PID (not a great
> idea) or by UID/GID (a much better idea). If the overhead of network namespaces
> (veth pairs, new IPs, creating routes) is too much, you could create a user and
> run your processes as this user. Then create iptables rules that match based on
> the user. You do this with the "owner" module, and you can check whether it
> exists on your system by running:
>
>     iptables -m owner
>
> [1]: https://lwn.net/Articles/580893/
> [1]: also `man 7 namespaces`
> [2]: http://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

I understand the iptables solution. The namespace solution seems
restrictive, it will exclusively allow the IP address to be used in
the namespace that it is hosted in and there is no control over the
port. So if it is OK to dedicate an IP address to a namepsace than
fine but it still does not solve the port issue and iptables will have
to be used. So why not just use ipatbles ?

-- 
JS

How to make per process firewall ?

[Stephen Brennan]

On Thu, Apr 20, 2017 at 10:31:33AM -0700, Joe Smith wrote:
> On Wed, Apr 19, 2017 at 9:58 AM, Stephen Brennan <stephen@brennan.io> wrote:
[snip]
> I understand the iptables solution. The namespace solution seems
> restrictive,

It depends on how you set it up. If you put your only network interface within
this namespace, then yes, it is a bit restrictive. But if you were to set up a
veth pair, put one end into the namespace and the other in your default
namespace, and then configure NAT so traffic from the veth gets routed out
properly, then everything would still share one IP address.

Yes, this is just as much work as it sounds like, so I can understand why it
doesn't sound like a good idea!

> it will exclusively allow the IP address to be used in
> the namespace that it is hosted in and there is no control over the
> port.

You can control the port using iptables within the namespace. At that point,
it's a simple firewall rule that says "drop any traffic that isn't on this
port". Since no other processes are in the namespace, it only affects the
processes you want to restrict.

> So if it is OK to dedicate an IP address to a namepsace than
> fine but it still does not solve the port issue and iptables will have
> to be used. So why not just use ipatbles ?

The iptables -m owner solution is much simpler, so yeah, probably just use that.
I came up with the network namespace solution because I've recently been doing
*a lot* of work using them. When all you have is a hammer, everything looks like
a nail!