Block specific apps' outgoing traffic

[kktsuri]

Hey all,

I've been posting this in other boards and came up with a pretty good solution but, I'm still not sure of how WINE exactly works in networking or if wineserver is involved, etc that's why I post it here.

What I want to do is simple: restrict most apps I run in wine to not have internet access (well, not outgoing anyway), with a couple others having internet access. For the sake of an example, let's say Firefox in WINE should have access, but Foo and Bar should not.

So, I make two users, let's called them userA and userB. I use Iptables to set a rule for userA, and block all outgoing traffic

Code: Select all

iptables -I OUTPUT -o eth0 -m owner --uid-owner userA -j DROP

Then I simply log this user for most of my apps. When I need to run Firefox in WINE as mentioned previously in the example, I just run it under userB with a different WINEPREFIX so that it uses a different wineserver.

Is that enough or do I need to do something else to block all traffic from userA? What I mean is, if some apps can go around this in some ways or not. The apps are designed to run under Windows, so of course they aren't aware they run on a Linux system so let's assume that they don't use such info to "break out".

I hope this is enough. Thanks.

[oiaohm]

You are better off using a lxc network namespace wrapping than user wrapping. Why a network namespace allow you to not show the external Ethernet to the application so all it sees is loopback. Please be aware you can do lxc network namespace completely missing loopback as well lot of applications hate this.

Also the lxc network namespace will not screw up if you end up with like eth1 instead of eth0 as you assign what networkign the application can access.
http://lwn.net/Articles/531114/

http://forums.macrumors.com/showthread.php?t=1182655
Yes Wineserver is involved in network connections. This is why you can only isolate WINEPREFIX by WINEPREFIX application and wineserver it is using has to be contained.

kktsuri issue with blocking all traffic does not stop more stupid applications seeing a network card and attempting to send until you run out of cpu time. Firefox is a well behaved application. The block you setup wine and applications running will not break the way out of but it does not stop applications from trying until you system locks up. lxc methods do stop application from even trying since to the application the outgoing network cards don't exist.

This is Linux with the many ways to skin cat. I am not on my game machine at the moment for quite a few games I have lxc solutions to block them when I just want to play single player. I will post later with the method I use.

The iptables is the older method.

The cgroup/Lxc/docker/systemd containment method is all the same thing at kernel level cgroups and this is the new containment method. Even on native Linux application using the iptables drop solution can cause horrible things to happen.

Of course you can stack both methods into 1 solution make sure no escape is possible.

[kktsuri]

Hey, thanks for the reply.

To be honest, LXC seems a bit over my head, I need to do some reading on it a bit more but it looks pretty complicated with all sorts of editing files/configs and obscure command line options, at least for me. I know apps can lock out my CPU by sending so many requests if the packets get dropped with iptables, but at least it is much easier for me to setup and maintain.

Unless, you have some easy ways to setup LXC containers for this? Or is there some GUI tools available to simplify it (like for example, VirtualBox which is a full fledged VM and is much easier to use in my opinion, but obviously way slower!).

Or at least some easy to use scripts like e.g start a container with script that does all the dirty job for this specific purpose (isolate apps in network) automatically. My main problem and where it's too complicated for me is in setting up the container/network and such. No site I read guides on explains properly, they just say "go to some file, edit something, add this, add that" etc as if the reader is experienced with this stuff

Thanks again for reply I will look some more in LXC when I have some time, for the time being atleast I know this iptables method is safe and works (without apps sending ninja data out there).

[oiaohm]

kktsuri I have something horrible dirty due to requirement of root password but it works.
http://linux.die.net/man/1/unshare

If you suid bit unshare you can do unshare -n -- application unfortunate this equals all networking including loopback disabled lots of applications really hate this. For applications that don't hate this it is really nice solution. No extra user or iptable settings.

Code: Select all

 unshare -n ping 127.0.0.1

is network unreachable.

The hack using root/admin level unshare and su to change back to a lower user.

Code: Select all

unshare -n -- sh -c "ifconfig lo up; su [user] -- [application]"

or

Code: Select all

unshare -n -- sh -c " ip link set dev lo up; su [user] -- [application]"

Unfortunately both commands have to run with root privilege so sudo -c or su -c on batch file containing it. ifconfig is the old way of configuring network interfaces and ip is new.

kktsuri the reason why I had to go home and look at my home system was that I could not remember how I pulled it off simply myself.

This should be able to be done cleaner using nsenter but I have not done this myself and not every distribution has nsenter yet. nsenter accepts a file describing how the network should look when you fire up the application so avoiding need to turn network on.

There are some gui tools for managing cgroups but for this I just hack it. Please note unshare -n -- application should work with some windows applications because if you uninstall all network cards under windows tcp loop-back disappear.

If you are on a system with systemd there is another way to replicate what I did. systemd-nspawn --private-network --drop-capability=. I have not messed with this myself.

This is the problem cgroups has a stack of different command line interfaces will get a lot simpler when everything linux uses systemd.

kktsuri yes blocking network traffic will get simpler and cleaner than using iptables. In fact blocking applications from seeing everything else on the system will also get simpler.

What makes LXC solutions complex at the moment is too many ways to skin the 1 cat. Yes the different methods end up with the kernel ending up with exactly the same instructions.

[kktsuri]

This is pretty neat, but how dependent are Windows apps on loopback anyway? I mean, don't they use loopback/localhost to communicate with wineserver? If so it must be kind of important but I don't even know what wineserver does specifically.

Is there some way to make the windows apps use loopback at least without a network interface, since you said they are kind of buggy there?

Thanks btw I will look more into unshare and such, didn't even know they existed

[oiaohm]

kktsuri wine itself is not dependant on loopback at all. Loopback requirement is a per application thing.

Some games exploit loopback on Windows and Linux so their code is almost identical between network version and single player version. These programs also fail under windows with no network card connected.

"ifconfig lo up;" and "ip link set dev lo up" in my hacks is about turning loopback back on. In fact a private loopback. So applications do use it. This meets the requirement for most applications.

There are one or two applications who want to pull a mac address off a network card these are rare. This would be a more complex cgroup setup. Its possible to add a fake network card connected to nothing to a cgroup this is why I mentioned nsenter means to load a file defining network.

kktsuri windows applications under windows can punch holes past firewalls and other things. Wineserver has to implement that functionality. Turns out without it means particular Windows applications break. Wineserver is where wine emulates a lot of Windows kernel functionality including some of the very bad behaviours. Like dissociated network connections.

Basically a well behaved windows application will work with suid applied to unshare command and unshare -n used. The ones that fail this attempt the option to turn on loopback. The ones that fail this are pain in but that either really check for a internet connection or are looking at the mac address of the network card for some reason like copyprotection. Majority will be covered by the first 2 options.

kktsuri the only special thing about wine is remembering the existence of wineserver and due to it you cannot run 1 application contained and 1 application not contained in the same wine prefix.

One day wineserver hopefully picks up nsenter so it uses the cgroup of the application it is processing for. Basically the wine-server bit and the security hole is kind a bug. Problem currently to use nsenter requires high privilege wineserver is not secure to run at root level. Also note everything about cgroups/lxc are not fully set in stone either so wine project it also waiting for cgroups/lxc to settle in.

[kktsuri]

Thanks, now I understand... that makes sense, I guess some apps *need* a network adapter just for copyprotection, but overall I will try your method it should be fine, I don't believe I have any such app, maybe except a few older games but well if they don't work I'll try the other way for now.

I'll see if I get anything interesting going on.