2

I am running a docker image of Linux and trying to achieve following:

  1. Run a docker
  2. Create a user test
  3. Stop the user test from internet access

1 and 2 work but I am stuck at #3.

What I tried?

  1. Run iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 501 -j DROP. This command failed with error message "getsockopt failed strangely: Operation not permitted". I was unable to find the root cause
  2. Change the sudoer file and add an entry test ALL=!/bin/ping. This was to see if I am able to stop user test from running ping command. However, this change in sudoer file had no affect and user test was able to run ping command. Assuming this would work, my intent was to play around with sudoer to achieve my goal

Is there a recommendation or suggestion to solve this problem?

Mark Setchell
  • 191,897
  • 31
  • 273
  • 432
Saurabh
  • 7,894
  • 2
  • 23
  • 31
  • did you try above steps with `-priviledged` mode? or try `iptables -A OUTPUT -m owner --uid-owner test -j REJECT` with root user – Aditya Pawaskar May 19 '18 at 07:00
  • Try it using `docker exec --privileged iptables` ... – Ari Apr 25 '21 at 19:21
  • you should need: docker run --cap-add NET_ADMIN my_container (the capability NET_ADMIN is required to use iptables command), because docker requires network card of the host, ps: make sure you read up on this capability before enabling it – daniel reis Nov 02 '21 at 15:24

1 Answers1

-2

To block all internet access for a certain users using iptables command.

sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT

If you want this command to run when the system starts up, you should add it to the end of your /etc/rc.local file.

command to reverse above:

sudo iptables -D OUTPUT -m owner --uid-owner {USERNAME} -j REJECT

or you can reboot. Unless you've added the line to /etc/rc.local, it's not persistent, and if you have, then you can just remove that line.

you can read more

Aditya Pawaskar
  • 243
  • 4
  • 11