1

My system is debian 10 with nftables.
output of nethogs as below:

? root     192.168.2.10:59100-172.217.27.138:443 
? root     192.168.2.10:59086-172.217.27.138:443 
? root     192.168.2.10:59082-172.217.27.138:443 
? root     192.168.2.10:59062-172.217.27.138:443 
? root     192.168.2.10:59058-172.217.27.138:443 
? root     192.168.2.10:59054-172.217.27.138:443 
? root     192.168.2.10:59030-172.217.27.138:443 
? root     192.168.2.10:59026-172.217.27.138:443
? root     192.168.2.10:42314-27.19.249.194:443  
? root     192.168.2.10:49788-216.58.200.234:443

I ss -pl | grep 59100 but got nothing,then I plan to block all root process to network connection.
How to do it?

kittygirl
  • 945
  • 5
  • 13
  • 33
  • This seems like *an XY problem*. If I get it right, you don't understand what these connections are and try to solve it simply by blocking them. But there's a problem with this approach: root might need Internet access for e.g. system updates, and if there are malicious connections from root, it's already game over. – Esa Jokinen Jul 16 '21 at 05:56
  • @EsaJokinen,I want to block root all the time,except update. – kittygirl Jul 16 '21 at 06:36

1 Answers1

2

With iptables, this would be rather easy with the owner match extension:

sudo iptables -A OUTPUT -p all -m owner --uid-owner 0 -j DROP

Likewise, nftables has matching by socket UID / GID:

sudo nft add rule filter output meta skuid 0 counter
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I add `log prefix "drop root: " meta skuid 0 counter drop` in nftables rule,seemed works fine. ps.What's the meaning of `meta`? – kittygirl Jul 16 '21 at 09:15
  • Cound I use `!` or `not` to set only one user pass,such as `log prefix "drop root: " meta ! skuid 1000 counter drop`? – kittygirl Jul 16 '21 at 09:21