I am running a docker image of Linux and trying to achieve following:
Run a docker
Create a user test
Stop the user test from internet access
1 and 2 work but I am stuck at #3.
What I tried?
Run iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 501 -j DROP. This command failed with error message "getsockopt failed strangely: Operation not permitted". I was unable to find the root cause
Change the sudoer file and add an entry test ALL=!/bin/ping. This was to see if I am able to stop user test from running ping command. However, this change in sudoer file had no affect and user test was able to run ping command. Assuming this would work, my intent was to play around with sudoer to achieve my goal
Is there a recommendation or suggestion to solve this problem?
To block all internet access for a certain users using iptables command.
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
If you want this command to run when the system starts up, you should add it to the end of your /etc/rc.local file.
command to reverse above:
sudo iptables -D OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
or you can reboot. Unless you've added the line to /etc/rc.local, it's not persistent, and if you have, then you can just remove that line.
you can read more
Related
I need to execute this command on Linux server.
string command = $"sudo iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport {port} -j ACCEPT";
When I run the app in VirtulBox, the terminal asks me for a password.
Will this also happen on the server? I can't login to the server and don't know the password.
How can I run the command so that it does not ask for password?
Login to the terminal as root. Make a backup of your /etc/sudoers file.
# cp /etc/sudoers /root/sudoers.bak
Then edit this file by using the visudo command:
# visudo
Edit or append this line, replacing username with the user that will be running your script:
username ALL = NOPASSWD: /usr/sbin/iptables
Save and exit the file.
Test it by executing sudo, from your user account:
$ sudo iptables -V
Now your user can use sudo to execute the iptables command.
If you whant to do this from Linux machine:
You can writ a script with:
sshpass -p "PASSWORD" user#server
and give only execute premition.
I'm trying to set docker up on a new system, and when running docker info I get:
docker -v
=> Docker version 18.09.5, build e8ff056
docker info
=> Got permission denied while trying to connect to the Docker daemon
socket at unix:///var/run/docker.sock: Get
http://%2Fvar%2Frun%2Fdocker.sock/v1.39/info: dial unix
/var/run/docker.sock: connect: permission denied
Following the docs, I've tried:
sudo usermod -a -G docker $USER
Which returns no output. When I then run groups:
groups
=> mark adm cdrom sudo dip plugdev lpadmin sambashare
I can see a docker group exists:
less /etc/group | grep docker
=> docker:x:131:mark
And can see that it owns a socket running where the error message states:
ls -la /var/run/ | grep docker
=>
drwx------ 5 root root 120 May 25 14:54 docker
-rw-r--r-- 1 root root 5 May 25 14:54 docker.pid
srw-rw---- 1 root docker 0 May 25 14:54 docker.sock
So why can't I add myself to that group with sudo usermod -a -G docker $USER ?
You need to reload your shell in order to make the changes take effect.
Often you need to reboot your shell process and possibly even restart your computer.
e.g
sudo usermod -aG docker $USER
sudo reboot
See #4Z4T4R answer and give a thumbs
https://stackoverflow.com/a/66297855/7961500
Load changes without quitting your shell
To avoid starting a new shell you can run. (Doesn't seem to work for all environments)
exec su -l $USER
This will create a new subshell with the loaded changes and replace your current shell with it.
If nothing else is working for you.
Another way if you just need to get it working now, is to change your primary group. This is only a temp solution as with any new shell you will need to apply it again.
export my_group=$(id -gn)
newgrp docker
newgrp $my_group
Documentation
You can also look at the offical documentation here
https://docs.docker.com/engine/install/linux-postinstall/
In my case, on Ubuntu 20.04, run sudo reboot after this command:
$ sudo usermod -aG docker $USER
I literally needed to reboot my operating system (and machine) for the change to take effect. Restarting/reloading the bash session did not apply the new setting.
Sure, newgrp docker does the trick "on the fly" without restart/reboot/re-anything... but once the session terminates, POOF you're not in the docker group any longer.
Added this as a formal answer bc it genuinely solved the OP's---and my (identical)---problem.
Credit should go to #Omari Celestine for the suggestion, but because I suck at interpretation, I (and maybe you) need the literal disambiguation that this answer provides.
Its a two step process technically. Run
sudo usermod -aG docker $USER
then,
sg docker -c "bash"
Change the permissions on the /var/run/docker.sock file and restart docker process.
sudo chown jenkins:jenkins /var/run/docker.sock
sudo 644 /var/run/docker.sock
Then,
sudo service docker restart
Before running $docker info, Please make sure that the docker service up.
If not pls start the service by running below command.
$service docker start
Now you check the $docker info
I have an embedded Linux firmware running on a home router. When I run the following commands one by one from the terminal as root, it works without any errors and serves my purpose. I know this is not a secure policy. This is only to test something.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
However, when this is run in a bash script as root as below,
#!/bin/bash
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
it gives the following error:
iptables: Bad policy name. Run `dmesg' for more information.
iptables: Bad policy name. Run `dmesg' for more information.
iptables: Bad policy name. Run `dmesg' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
I have confirmed that the last line of bash script executes without errors and the entry can be seen in iptables. However, all the other lines throw an error. What am I doing wrong? Surprisingly, the same batch script works fine on my Ubuntu machine.
Did you create the script in Windows, or in some other way that gave it Windows line endings (CRLF) where the router is expecting Unix line endings (LF)?
That would lead to the interpreter reading an extra unprintable character on the end of each of the commands, which would give the errors shown.
You can check by running cat -v myScript.sh. Incorrect Windows line endings will show as:
iptables -P INPUT ACCEPT^M
iptables -P FORWARD ACCEPT^M
iptables -P OUTPUT ACCEPT^M
iptables -F^M
iptables -X^M
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
I am trying to access a ISCSI drive on a machine with IP 1.0.0.13 (hostname store.blue.com). The machine in which I am trying to create connection has the IP 1.0.0.11 (Hostname: loc1.blue.com). From loc1.blue.com I could discover the iqn but not able to login due to below error.
[root#loc1 ~]# iscsiadm -m discovery -t sendtargets -p store.blue.com
1.0.0.13:3260,1 iqn2015-04.com.blue:store.target1
[root#loc1 ~]# iscsiadm -m node -targetname iqn2015-04.com.blue:store.target1 -p 1.0.0.13 -login
iscsiadm: can not recognize operation: 'gin'
At first I open ports for ISCSI 3260 & 860 and tried the connection but that didn't help. So I stopped iptables service and disabled firewall on both machines. Still I get the same error.
Please advise.
Your syntax is wrong - it's not -login, it's -l or --login (note the two dashes):
# iscsiadm -m node --targetname iqn2015-04.com.blue:store.target1 -p 1.0.0.13 --login
The syntax was incorrect. It should have been --targetname. Complete statement is as follows.
iscsiadm --mode node --targetname iqn2015-04.com.blue:store.target1 --portal store.blue.com:3260 --login
I am trying to add iptable rules from a rules file rather than shell. This is what I have tried, but it doesn't seem to take any sort of effect. Is there something wrong with the way I am setting it up?
iptables.rules
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
iptables
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
Shell commands
ln -s $HOME/config/iptables.rules /etc/iptables.up.rules
ln -s $HOME/config/init/iptables /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
See the post by miguimon at https://bbs.archlinux.org/viewtopic.php?pid=636996
This is basically a shell script that you can use to enable/disable the firewall rules in the script. Then, you can run the script from the command line, or from /etc/rc.local.