Iptables: DROP software if NOT run by a specific group (not working)

Question

I'm trying to mimic the Windows firewall to define rules by software.

So a software has access to internet only if started by a specific group. I can then create a .sh file for each program that I want to access internet. By following this question How to control internet access for each program? I'm trying to block all programs access internet if not started by a specific group.

1. I created a group has-internet (I did not join this group):

sudo addgroup has-internet

2. Restarted pc to be sure new group is well loaded

3. Add a rule to iptables that all processes not (!) belonging to the group has-internet from using the network (use ip6tables to also prevent IPv6 traffic)

sudo iptables -A OUTPUT -m owner ! --gid-owner has-internet -j DROP

sudo ip6tables -A OUTPUT -m owner ! --gid-owner has-internet -j DROP

Execute ping somesite.xyz (can't connect GOOD! : )

Execute sudo ping somesite.xyz (can't connect GOOD! : )

Execute sudo -g has-internet ping somesite.xyz (can't connect BAD! : (

What am I doing wrong? Pls Help!!!

EDIT

I tried (just to experiment) to block the group and it works...

sudo iptables -A OUTPUT -m owner --gid-owner has-internet -j DROP

Execute sudo ping somesite.xyz (can connect)

Execute sudo -g has-internet ping somesite.xyz (can't connect)

I don't understand why this way works and the other way round doesn't.... ?

Answer 1

Well, as you seem to know already, in order to allow a list of software out you first need to set the output policy to drop everything:

sudo iptables -P OUTPUT DROP

Then consider adding a rule that would correspond to the one normally present in INPUT table, that is, accepting any sent packet if its connection is already tracked with state of RELATED or ESTABLISHED:

sudo iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Otherwise the further rules would be required to check every packet, but using conntrack for this is at least faster than checking the process owner and group each time.

Then you might desire that self-communication should be allowed. Since you've blocked everything, you'd want loopback output enabled.

sudo iptables -o lo -j ACCEPT

Past then, you do as described with creating a group, and create a rule that would filter packets sent by processes of that group, but instead of dropping the packet you accept it:

sudo iptables -A OUTPUT -m owner --gid-owner has-internet -j ACCEPT

Then you do the usual stuff of establishing save-restore for your set of iptables rules. At the very least, sudo iptables -S would do as a makeshift save, but iptables-persistent has been built for convenience.

PS: if you have IPv6 set up in your system, do the same set of commands with ip6tables.