create iptables rule per process/service

前端未结

关注

 5  1897

挽巷 2021-01-31 09:58

is it possible to use iptables in order to permit traffic initiated by a \"process\", ie using the process name? I would like for example to allow everything that is initiated b

5条回答

梦毁少年i (楼主)

2021-01-31 10:56
If there is a way to get a process's pid before it starts, then I've never heard about it.

You could write a wrapper which forks first, then adds the rule and execs the process (assuming the program you're running doesn't fork again), since the PID is not changed by the exec(3) call.
```
/* NOTE this contains zero error checking */
int main(int argc, char **argv) {
    /* Eat argv[0] the name of the wrapper script */
    argv++;
    argc--;

    pid_t my_pid = getpid();

    char *iptables_cmd = NULL;
    asprintf(&iptables_cmd, "/sbin/iptables -A INPUT -m owner --pid_owner %d -j ACCEPT", my_pid);

    system(iptables_cmd);

    execv(argv[0], argv);
}
```
0 讨论(0)

查看其它5个回答
发布评论:

提交评论
- 加载中...