iptables/pf rule to only allow XY application/user?
here's the iptables
command to allow for a certain uid
through a certain port.
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner username -j ACCEPT
from the man page
[!] --uid-owner userid[-userid] Matches if the packet socket’s file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.
as far as virtualbox.. I believe it runs its own kernel... so you might want to use the --uid-owner
of virtualbox on the host OS, but then have a --uid-owner
owner rule on the virtual machine as well.
It might also be useful to note that --gid-owner
also exists, and you could create a group browser
and sgid
your browser apps so it runs with an effective group browser
and then only put users who you want to have browsing in that group... this would not be a perfect solution... but most of the users wouldn't try to run any other apps as that group, thus generally restricting the outbound to that application I believe. I haven't tried this, so I'm not 100% that it would work as I've described.
Related videos on Youtube
LanceBaynes
Updated on September 18, 2022Comments
-
LanceBaynes over 1 year
I think there is no iptables/pf solution to only allow an XY application on e.g.: outbound tcp port 80, eth0. So if I have a userid: "500" then how could I block any other communications then the mentioned on port 80/outbound/tcp/eth0? (e.g.: just privoxy is using port 80 on eth0)
Extra: virtualbox uses port 80 too? when a browser on the guest os visits a site..how to declaire that? - setting the normal user would be too much hole-
Admin about 13 yearsadmittedly it might be easier if you split this question into 2 (or more) questions... the bsd stuff is going to be way different from the linux stuff... and then in many ways you also have a virtual box question. I personally think that "how do I only allow application/user XY through iptables" and "how do I only allow application/user XY through pf" are good questions.
-