Linux – Bind Process or User to Specific IP on Linux

debianipiptableslinux

I have 3 non-root users on my server, and I want to give to each of them the different IP addresses (I have multiple IPs on one network inteface). For example, user1 will have 192.168.1.2, user2 – 192.168.1.3 and so on. Or, if it's impossible, how can I bind the specific process to the given IP address (I suggest, that it's possible to do with iptables, but how?). Thanks.

Best Answer

iptables -t nat -A POSTROUTING -m owner --uid-owner user1 -j SNAT --to-source 192.168.1.2
iptables -t nat -A POSTROUTING -m owner --uid-owner user2 -j SNAT --to-source 192.168.1.3
iptables -t nat -A POSTROUTING -m owner --uid-owner user3 -j SNAT --to-source 192.168.1.4

It is your responsibility to make sure that (a) you are not otherwise using the POSTROUTING nat chain, so these rules don't conflict with anything else, and (b) all these IP addresses are present on your NIC (you won't hear many replies otherwise).

This will also only affect traffic originating locally from processes owned by these users. If these are users are setting up network listening daemons, a different approach will be needed to handle replies, and if the server is acting as a router, this will not work; but you did not say that either of these circumstances applied, so I have not addressed the issues.

Related Solutions

Linux: Allow/restrict IP bind permissions by user

I won't go into detail on how SELinux is set up or how one creates a SELinux policy. This might be a good starting point for getting familiar with SELinux.

To address your problem with SELinux, try this:

Assign a type to the network interface you like to restrict

# Assign a type to the whole interface
semanage interface -a -t foo_netif_t eth2

Assign labels to traffic passing through the interface

netlabelctl unlbl add interface:eth2 address:0.0.0.0/0 label:system_u:object_r:foo_peer_t:s0
netlabelctl unlbl add interface:eth2 address:::/0 label:system_u:object_r:foo_peer_t:s0

This example assigns the type foo_peer_t to all IPv4 and IPv6 traffic.

Add rules to allow packet flow

Traffic entering

allow user_t foo_netif_t:netif ingress;
allow user_t foo_peer_t:node recvfrom;

Traffic leaving

allow user_t foo_netif_t:netif egress;
allow user_t foo_peer_t:node sendto;

Replace user_t with type assigned to the user you wish to restrict.

References:

Iptables – OpenVPN – iptables restrict one IP’s access to only some servers

The first three lines refer to 10.180.x.x when I think you meant 10.8.x.x ?

If so, the line iptables -A FORWARD -s 10.180.0.10 -d 10.8.0.6 -j ACCEPT is unnecessary.

Otherwise looks good.

Best Answer

Related Solutions

Linux: Allow/restrict IP bind permissions by user

Iptables – OpenVPN – iptables restrict one IP’s access to only some servers

Related Topic