create iptables rule per process/service

前端未结

关注

 5  1904

挽巷 2021-01-31 09:58

is it possible to use iptables in order to permit traffic initiated by a \"process\", ie using the process name? I would like for example to allow everything that is initiated b

5条回答

不知归路 (楼主)

2021-01-31 10:53
Building on @Bgs's answer, I would do it like this:
1. Add a new system group, eg. snitch
```
sudo addgroup --system snitch
```
1. Add yourself to that group, so that you won't be asked for a password to run processes with the primary group set to it:
```
sudo adduser $USER snitch
```
1. Add IPv4 and IPv6 rules to log and reject any packets generated by processes belonging to that group:
```
sudo iptables  -A OUTPUT -m owner --gid-owner snitch -j LOG --log-prefix 'Snitch: '
sudo ip6tables -A OUTPUT -m owner --gid-owner snitch -j LOG --log-prefix 'Snitch: '
sudo iptables  -A OUTPUT -m owner --gid-owner snitch -j REJECT
sudo ip6tables -A OUTPUT -m owner --gid-owner snitch -j REJECT
```
1. Open a tail watch on kernel messages:
```
dmesg -w
```
1. Launch your target process using sg or any other similar means:
```
sg snitch 'your target program'
```
0 讨论(0)

查看其它5个回答
发布评论:

提交评论
- 加载中...