iptables -A OUTPUT -m owner --gid-owner black -j REJECT
User name (uid) or group name (gid) won't help because these are the IDs of the user executing the application. Thus it would apply to all applications by that particular user and not just a single one.
Blocking a specific application is usually done by blocking all ports the application uses. But this only works if the user can't change the ports the application will use.
@reference_1_unix.stackexchange.com
Block specific application with iptables
Then how to establish a white-list mode using iptables owner match?
#Allow Loopback Connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner current_login_user -j REJECT
iptables -A OUTPUT -m owner --uid-owner root -j REJECT
iptables -A OUTPUT -m owner --uid-owner other_users -j REJECT
1. block all the users using above commands
2. create a white-list user allowed to use network
3. start your program using the white-list user under your current login user
No comments:
Post a Comment