18

On our Ubuntu machine I have attempted to block internet access to one of the user accounts by adding the following line to /etc/network/interfaces:

pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner 1001 -j DROP

This works well except somehow Youtube and other Google properties are not blocked.

I'm not an expert in iptables, but I assumed the above command would drop all outgoing requests from the specified user. Is there something special about Google properties that would somehow cause them to be exempted?

For reference here is my iptables list:

$ sudo iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             owner UID match ****
spencerrecneps
  • 299
  • 2
  • 5
  • 2
    This can easily be circumvented by tunneling TCP over another protocol, BTW. – Jörg W Mittag Sep 22 '19 at 10:14
  • 4
    Is there any chance your Internet connection is IPv6 enabled? That would not be blocked by an iptables rule. – penguin359 Sep 23 '19 at 04:51
  • Note that this will soon start applying to *many* more sites, not just Google and YouTube. Today Cloudflare announced that they have support for HTTP/3, Mozilla announced that Firefox will have support very soon, and it's only a matter of time before lots of other join in. HTTP/3 is based on Google's QUIC protocol and also runs over UDP, so it has the same issue. – Moshe Katz Sep 26 '19 at 18:34

1 Answers1

36

Is the user using Chrome/Chromium? If so, the browser is most likely using QUIC for those sites, and that protocol uses UDP as the transport.

You can block UDP ports 80 and 443 to solve it.

gsc
  • 103
  • 3
Eduardo Trápani
  • 1,210
  • 8
  • 12