iptables/pf rule to only allow XY application/user?

iptables firewall pf
10,772

here's the iptables command to allow for a certain uid through a certain port.

iptables -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner username -j ACCEPT

from the man page

[!] --uid-owner userid[-userid] Matches if the packet socket’s file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.

as far as virtualbox.. I believe it runs its own kernel... so you might want to use the --uid-owner of virtualbox on the host OS, but then have a --uid-owner owner rule on the virtual machine as well.

It might also be useful to note that --gid-owner also exists, and you could create a group browser and sgid your browser apps so it runs with an effective group browser and then only put users who you want to have browsing in that group... this would not be a perfect solution... but most of the users wouldn't try to run any other apps as that group, thus generally restricting the outbound to that application I believe. I haven't tried this, so I'm not 100% that it would work as I've described.

Share:
10,772

Related videos on Youtube

LanceBaynes
Author by

LanceBaynes

Updated on September 18, 2022

Comments

  • LanceBaynes
    LanceBaynes over 1 year

    I think there is no iptables/pf solution to only allow an XY application on e.g.: outbound tcp port 80, eth0. So if I have a userid: "500" then how could I block any other communications then the mentioned on port 80/outbound/tcp/eth0? (e.g.: just privoxy is using port 80 on eth0)

    Extra: virtualbox uses port 80 too? when a browser on the guest os visits a site..how to declaire that? - setting the normal user would be too much hole

    • Admin
      Admin about 13 years
      admittedly it might be easier if you split this question into 2 (or more) questions... the bsd stuff is going to be way different from the linux stuff... and then in many ways you also have a virtual box question. I personally think that "how do I only allow application/user XY through iptables" and "how do I only allow application/user XY through pf" are good questions.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

add rule to firewalld in Centos7 to allow all traffic from a server
ubuntu iptables NAT & Router & Port Forwarding
How can I allow ssh connection from an IP subnet on port 10022 using iptables?
Correct way to masquerade IP in iptables
UFW 'default deny incoming' doesn't work
I can not connect on ubutu service port 3050, from my network
dport is not working on iptables command
How can I open port 80?
iptables allow just internet connection
How to configure iptables file to allow only specific ipaddress on all port and deny all other ipaddress?