0

I want the user who starts the listening process on the port on the loopback interface to be the only user who can connect to this port. Reserving the port. No authentication.

I want other users to be able to be able to do the same on any available loopback ports.

Is there any mechanism such as selinux or apparmor capable of achieving this?

[EDIT] Just to clarify, the scenario is cntlm on a multi-user machine. Each user is using cntlm to authenticate against a proxy with their own credentials to a unique port on the loopback interface. I'm trying to find a way to isolate this so users can't connect use each others proxy connections.

David Diggles
  • 1
  • 1

2 Answers2

2

If by loopback you mean a network connection only to localhost, consider AF_UNIX sockets. AKA UNIX domain sockets. AKA that non-IP way you can connect to PostgreSQL or MySQL databases.

On Linux, this has the advantage of respecting file permissions. Without write to the socket as your user, it will not work. Probably, this behavior isn't standardized.

IP networks do not carry the operating system user ID of who made the packet. Maybe in a nftables firewall rule you can filter on uid, but only in a host firewall, for local sockets. Better would be some authentication protocol.

John Mahowald
  • 36,071
0

Iptables does exactly what I wanted to do. Here's an iptables example that I've tested and works. I just need to write a wrapper to sandwich the cntlm command in the iptables commands. I could call it lunch.sh

# To reserve port 7777 on lo to a user "foo"
iptables -I OUTPUT -o lo -p tcp --dport 7777 -j DROP
iptables -I OUTPUT -o lo -p tcp --dport 7777 --match-owner --uid-owner foo -j ACCEPT

To release the port


iptables -D OUTPUT -o lo -p tcp --dport 7777 -j DROP
iptables -D OUTPUT -o lo -p tcp --dport 7777 --match-owner --uid-owner foo -j ACCEPT
David Diggles
  • 1
  • 2