Re: [gentoo-user] Re: How to hide a network interface from an application
чт, 20 авг. 2020 г. в 15:46, Victor Ivanov : > > On 14/08/2020 01:03, Alexey Mishustin wrote: > > groupadd noinet > > usermod -a -G noinet > > iptables -A OUTPUT -i -m owner --gid-owner noinet -j DROP > >and calling not > > Plex > >but > > sg noinet Plex > >(or whatever name the binary has) > > This is a very elegant generic solution, thank you for sharing. I had > completely forgotten the fact that filtering can be done based on UID/GID. This is not surprising, because "a lot of water has passed under the bridge" since this solution was popular: https://ubuntuforums.org/showthread.php?t=1188099=10626471#post10626471 (dated 2011) -- Best regards, Alex
Re: [gentoo-user] Re: How to hide a network interface from an application
On 14/08/2020 01:03, Alexey Mishustin wrote:
> groupadd noinet
> usermod -a -G noinet
> iptables -A OUTPUT -i -m owner --gid-owner noinet -j DROP
>and calling not
> Plex
>but
> sg noinet Plex
>(or whatever name the binary has)
This is a very elegant generic solution, thank you for sharing. I had
completely forgotten the fact that filtering can be done based on UID/GID.
For the sake of completeness, here's the equivalent nftables solution
for those, such as myself, who may have migrated (exclusively) to nft:
table inet filter {
chain output {
type filter hook output priority filter; policy accept;
meta skgid "noinet" oifname "" drop
}
}
and in command line form:
(1) nft add table inet filter
(2) nft add chain inet filter output { type filter hook output
priority 0\; }
(3) nft add rule inet filter output meta skgid noinet oifname
drop
The first two are, of course, only relevant if there is no existing
table and chain that one can already use. If such exist, simply use (3)
and substitute names as appropriate.
Regards,
- V
signature.asc
Description: OpenPGP digital signature
Re: [gentoo-user] Re: How to hide a network interface from an application
On 8/16/20 5:07 AM, Neil Bothwick wrote: Going OT here, but why do you dislike Docker? I've only recently started using it, so if there are any major, or otherwise, drawbacks, I'd like to know before I get too entwined in their ecosystem. Why do I need one or more (more with older versions) additional daemons to run simple services or virtual routers (network namespaces)? I don't like many of the implications which, as I understand it, Docker imposes. Conversely I can do what I want with a few relatively simple (to me) commands directly in init scripts. -- Grant. . . . unix || die
Re: [gentoo-user] Re: How to hide a network interface from an application
On Sun, 16 Aug 2020 07:26:36 -0400, Rich Freeman wrote: > > Going OT here, but why do you dislike Docker? I've only recently > > started using it, so if there are any major, or otherwise, drawbacks, > > I'd like to know before I get too entwined in their ecosystem. > > It has been a while since I've tried it, but networking with Docker is > a PITA. Just having it use DHCP/DNS like any normal host isn't an > option, and it seems like you have to stick some kind of reverse proxy > in front of everything. That makes sense, although I'm running a reverse proxy anyway as I have different services on different hosts behind a single public IP address. I saw a systems using Traefik last week. Traefik offers some sort of auto-discovery to handle this sort of thing. > I can see how it makes sense at scale. However, if you just need one > instance of something, it is just way more complexity than you need. Yes, it's more work for a single container, but once you start running more there's very little extra work involved. > I personally use nspawn to run my containers, with a network > namespace. They just have their own MACs, run DHCP, and generally > work like any VM minus the memory use. I've used nspawn in the past and it worked well for what I needed, maybe I need to revisit it. > But, perhaps I just need to drink more of the kool-aide and it will > click some day. All I want is to be able to type a.b.com in my > browser and have it display the service I just started up. With > nspawn that is just a matter of a few lines in dhcpd.conf and my BIND > config. That seems to be what Traefik promises when used with Docker, make that Kool-Aid a double :) -- Neil Bothwick Windows Error #09: Mouse not found. Press mouse button to continue. pgpOcEUk7gaEQ.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: How to hide a network interface from an application
On Sun, Aug 16, 2020 at 7:07 AM Neil Bothwick wrote: > > On Sat, 15 Aug 2020 12:22:19 -0600, Grant Taylor wrote: > > > I dislike Docker, but I do like the idea of containers or network > > namespaces. > > Going OT here, but why do you dislike Docker? I've only recently started > using it, so if there are any major, or otherwise, drawbacks, I'd like to > know before I get too entwined in their ecosystem. It has been a while since I've tried it, but networking with Docker is a PITA. Just having it use DHCP/DNS like any normal host isn't an option, and it seems like you have to stick some kind of reverse proxy in front of everything. I can see how it makes sense at scale. However, if you just need one instance of something, it is just way more complexity than you need. I personally use nspawn to run my containers, with a network namespace. They just have their own MACs, run DHCP, and generally work like any VM minus the memory use. But, perhaps I just need to drink more of the kool-aide and it will click some day. All I want is to be able to type a.b.com in my browser and have it display the service I just started up. With nspawn that is just a matter of a few lines in dhcpd.conf and my BIND config. -- Rich
Re: [gentoo-user] Re: How to hide a network interface from an application
On Sat, 15 Aug 2020 12:22:19 -0600, Grant Taylor wrote: > I dislike Docker, but I do like the idea of containers or network > namespaces. Going OT here, but why do you dislike Docker? I've only recently started using it, so if there are any major, or otherwise, drawbacks, I'd like to know before I get too entwined in their ecosystem. -- Neil Bothwick Top Oxymorons Number 38: Government organization pgp9qihZoAdkd.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: How to hide a network interface from an application
On 8/13/20 6:03 PM, Alexey Mishustin wrote:
Isn't this classic option suitable?
iptables -A OUTPUT -i -m owner --gid-owner noinet -j DROP
Ugh.
I'm sure that's a viable method to deal with the problem after the fact.
But I prefer to not have the problem in the first place. Thus no need
to deal with it after the fact.
I dislike Docker, but I do like the idea of containers or network
namespaces. As such, I think it should be relatively trivial to create
a network namespace that has what you need without too much effort. I'd
think that some judicious "unshare" / "nsenter" / "ip netns exec"
commands would suffice.
I run BIRD in multiple network namespaces (think virtual routers) for
things with a few commands and NO Docker, et al.
unshare --mount=/run/mountns/${NetNS} --net=/run/netns/${NetNS}
--uts=/run/utsns/${NetNS} /bin/hostname ${NetNS}
nsenter --mount=/run/mountns/${NetNS} --net=/run/netns/${NetNS}
--uts=/run/utsns/${NetNS} /bin/ip link set dev lo up
nsenter --mount=/run/mountns/${NetNS} --net=/run/netns/${NetNS}
--uts=/run/utsns/${NetNS} /usr/sbin/bird -P /var/run/bird.${NetNS}.pid
-s /var/run/bird.${NetNS}.ctl
You can replace /usr/bin/bird ... with whatever command you need to
start Plex.
Obviously you will need to add the network interface to connect from
your physical network to the network namespace and configure it
accordingly. But that's relatively trivial to do.
I find these types of network / mount / UTS namespaces, containers, to
be extremely lightweight and easy to do things in. I've created some
wrapper scripts to make it trivial to add / list / remove such
containers; mknns, lsnns, rmnns.
--
Grant. . . .
unix || die
Re: [gentoo-user] Re: How to hide a network interface from an application
On 8/13/20 4:03 PM, Grant Edwards wrote:
I'm not sure what "go out of your way" means in this context. I assume
I'd create a network namespace for Plex, and then use either macvlan
or ipvlan to share one of the physical interaces between the root
namespace and the Plex namespace.
I've found that MACVLAN / MACVTAP, and I assume IPVLAN / IPVTAP, have a
bit of a flaw. Specifically, I've not been able to put an IP address on
the parent interface, e.g. eth1, and get communications between the host
and the {MAC,IP}V{LAN,TAP} clients. To get such host to
{MAC,IP}V{LAN,TAP} communications, I've had to add an additional
{MAC,IP}V{LAN,TAP} and put the host's IP on that.
Conversely, I've been able to use traditional bridging or OVS to
accomplish this.
I'd like the 'lo' interfaces to be shared as well, but I'm not sure
that's possible.
I think that's contrary to how network namespaces work.
I've got a colleague at work who has written a proxy program that will
listen on a port in one network namespace and connect to the same (or
optionally different) port in another network namespace. It sort of
behaves much like OpenSSH's local port forwarding going from one network
namespace to another network namespace with the service running.
Somewhat akin to SSH agent forwarding.
--
Grant. . . .
unix || die
Re: [gentoo-user] Re: How to hide a network interface from an application
On Fri, 14 Aug 2020 22:06:01 - (UTC), Grant Edwards wrote: > Even with the kernel rebuild it was far less work than getting set up > to run a docker container (which also would have required a kernel > rebuild) or running the server in a separate network namespace. The thing with Docker is you only have to do that work once. So using it for a one-off is extra work but once done you can spin up extra services with almost no effort. -- Neil Bothwick Don't just do something, sit there! pgpw2fz6pBF2o.pgp Description: OpenPGP digital signature
[gentoo-user] Re: How to hide a network interface from an application
On 2020-08-15, Sid Spry wrote: > On Fri, Aug 14, 2020, at 5:06 PM, Grant Edwards wrote: >> [...] >> >> > iptables -A OUTPUT -o -m owner --uid-owner plex -j DROP >> >> I can confirm, that did indeed work as desired. >> >> Even with the kernel rebuild it was far less work than getting set up >> to run a docker container (which also would have required a kernel >> rebuild) or running the server in a separate network namespace. >> >> [...] > > Are you able to see any perf impact from the generated but dropped > packets? I haven't tried, but I it's detectable. Plex only sends out a handful of packets every 5-10 seconds. It wouldn't really matter except that the interface I want it to leave alone is attached to an internal network I use to develop/test IoT and industrial Ethernet devices, and I want to be able to run tests that are as predictable and repeatable as possible. It would probably be better to run Plex on a separate, small, silent, low-power, headless server but I've already got enough machines to maintain. -- Grant
Re: [gentoo-user] Re: How to hide a network interface from an application
On Fri, Aug 14, 2020, at 5:06 PM, Grant Edwards wrote: > On 2020-08-14, Grant Edwards wrote: > > > I think this should work, but I need to rebuild my kernel with the > > iptables "owner" extension enabled: > > > > iptables -A OUTPUT -o -m owner --uid-owner plex -j DROP > > I can confirm, that did indeed work as desired. > > Even with the kernel rebuild it was far less work than getting set up > to run a docker container (which also would have required a kernel > rebuild) or running the server in a separate network namespace. > Are you able to see any perf impact from the generated but dropped packets?
[gentoo-user] Re: How to hide a network interface from an application
On 2020-08-14, Grant Edwards wrote: > I think this should work, but I need to rebuild my kernel with the > iptables "owner" extension enabled: > > iptables -A OUTPUT -o -m owner --uid-owner plex -j DROP I can confirm, that did indeed work as desired. Even with the kernel rebuild it was far less work than getting set up to run a docker container (which also would have required a kernel rebuild) or running the server in a separate network namespace. -- Grant
Re: [gentoo-user] Re: How to hide a network interface from an application
пт, 14 авг. 2020 г. в 23:03, Grant Edwards : > [For posterity's sake, with -A Output it's -o rather than > -i ] Ah, you are right! I am sorry, my iptables rule with 'noinet' doesn't include an interface, I added it when typing the message and looked at my rules with an interface from the INPUT section. > My original post also said I was trying to hide an > interface, when all I really needed was to prevent sending of packets > on that interface. Yes, it seems to be enough. I found out that 'noinet' rule when I got annoyed by an application (written by Windows programmers as well) that was continuously checking updates at each launch... No inet - no check :) > I think this should work, but I need to rebuild my kernel with the > iptables "owner" extension enabled: Clear! -- Best regards, Alex
[gentoo-user] Re: How to hide a network interface from an application
On 2020-08-14, Alexey Mishustin wrote: > Isn't this classic option suitable? > > groupadd noinet > usermod -a -G noinet > iptables -A OUTPUT -i -m owner --gid-owner noinet -j DROP >and calling not > Plex >but > sg noinet Plex >(or whatever name the binary has) Thanks for the suggestion! [For posterity's sake, with -A Output it's -o rather than -i ] Yes, I think that should work. I had forgotten (or never knew?) that iptables rules could trigger on the uid or gid of the process that sent the packet. The Plex media server already runs in its own user/group -- something I should have mentioned in my original post, since it means that "from a user" instead of "from an application" would also work. My original post also said I was trying to hide an interface, when all I really needed was to prevent sending of packets on that interface. I think this should work, but I need to rebuild my kernel with the iptables "owner" extension enabled: iptables -A OUTPUT -o -m owner --uid-owner plex -j DROP I was just about to start experimenting with ipvlan and network namespaces, but an iptables rule triggering on uid looks much much easier. -- Grant
Re: [gentoo-user] Re: How to hide a network interface from an application
Hi Grant, Isn't this classic option suitable? groupadd noinet usermod -a -G noinet iptables -A OUTPUT -i -m owner --gid-owner noinet -j DROP and calling not Plex but sg noinet Plex (or whatever name the binary has) -- Best regards, Alex
[gentoo-user] Re: How to hide a network interface from an application
On 2020-08-13, Sid Spry wrote: > Sorry, I meant go out of your way to select more than one > interface. I'm genuinely confused anyone would ever do that let > alone Plex. I assume they're using some sort of SSDP library that by default spews on all available interfaces. > Yes, you're right (as far as I know). You might wish to see if Plex has a > premade container built. I typically don't like them, but it will save you > a fair bit of work if it exists. They do offer a docker download. I've never done anything with docker containers before, but maybe it's time to learn. -- Grant
Re: [gentoo-user] Re: How to hide a network interface from an application
On Thu, Aug 13, 2020, at 5:03 PM, Grant Edwards wrote: > On 2020-08-13, Sid Spry wrote: > > On Thu, Aug 13, 2020, at 4:33 PM, Grant Edwards wrote: > >> How does one hide a network interface from a badly-written application? > >> > >> I'm using Plex Media Server as a DVR, it it seems to have been written > >> by Windows programmers who assume that your computer exists for no > >> purpose other than running their program and their program alone. It > >> spews multicast and broadcast packets on all network interfaces > >> regardless of which interface you configure it to use. > >> > >> Is creating a network namespace that contains only the interfaces Plex > >> is allowed to use the best way to try to fix this problem? [Assuming > >> the developers won't do anything about it.] > > > > Yes, though you typically have to go out of your way to select a single > > interface. > > I'm not sure what "go out of your way" means in this context. I > assume I'd create a network namespace for Plex, and then use either > macvlan or ipvlan to share one of the physical interaces between the > root namespace and the Plex namespace. I'd like the 'lo' interfaces > to be shared as well, but I'm not sure that's possible. > Sorry, I meant go out of your way to select more than one interface. I'm genuinely confused anyone would ever do that let alone Plex. Yes, you're right (as far as I know). You might wish to see if Plex has a premade container built. I typically don't like them, but it will save you a fair bit of work if it exists.
[gentoo-user] Re: How to hide a network interface from an application
On 2020-08-13, Sid Spry wrote: > On Thu, Aug 13, 2020, at 4:33 PM, Grant Edwards wrote: >> How does one hide a network interface from a badly-written application? >> >> I'm using Plex Media Server as a DVR, it it seems to have been written >> by Windows programmers who assume that your computer exists for no >> purpose other than running their program and their program alone. It >> spews multicast and broadcast packets on all network interfaces >> regardless of which interface you configure it to use. >> >> Is creating a network namespace that contains only the interfaces Plex >> is allowed to use the best way to try to fix this problem? [Assuming >> the developers won't do anything about it.] > > Yes, though you typically have to go out of your way to select a single > interface. I'm not sure what "go out of your way" means in this context. I assume I'd create a network namespace for Plex, and then use either macvlan or ipvlan to share one of the physical interaces between the root namespace and the Plex namespace. I'd like the 'lo' interfaces to be shared as well, but I'm not sure that's possible. > Have you filed a bug report? Can you link to it? People have been complaining to upstream devs about this for years, and nothing's been done. I posted a question the Plex forum about it, but I doubt anybody will pay any attention. (Plex doesn't seem to use any sort of bug reporting or tracking system). -- Grant
