我正在尝试设置一个用户,以便在没有任何互联网连接的情况下运行 Python 应用程序。但允许所有其他用户使用互联网。
确保“用户”与所有活动隔离。我在“Arch Linux”上使用“nfttables”。
我的配置如下:
// user = blockbob 1007
nft -f ./blockhim.nft
table inet blockhim {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related counter accept
}
chain output {
type filter hook output priority filter; policy accept;
ip protocol tcp meta skuid "blockbob" reject
}
}
nft -s list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iifname "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport 22 accept comment "allow sshd"
meta pkttype host limit rate 5/second counter reject with icmpx admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}
table inet blockhim {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related counter accept
}
chain output {
type filter hook output priority filter; policy accept;
ip protocol tcp meta skuid 1007 reject with icmp port-unreachable
}
}
我在 Arch Linux 5.15.15-1-lts 上有一个 IPv6 和 IPv4 LAN 和 WAN 网络,并且刚刚安装了“nftables”
结果
- “OK USER” 允许除“PING”连接(例如 ping google.com)之外的所有连接(例如 curl chrome)
- “blockhim”所有连接均被阻止
- 连接感觉略有延迟
为什么 PING 被阻止并且出现“OK USER”,并显示“IPV6 地址目标不可达:地址不可达”?
命令“sudo nft -e flush ruleset”将所有内容恢复正常。