Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking
  Print view Previous topic | Next topic 
Author Message
jvm
PostPosted: Mon Feb 25, 2008 5:20 pm 
Offline
Senior Newbie

Joined: Wed Dec 26, 2007 11:40 am
Posts: 10
Hello, I was thinking that it would be useful to be able to allow or deny network access to specific processes.

In particular I would like to be able to define such rules through the process name.
I thought that iptables could do that, but googling I discovered that the "cmd-owner" feature is long gone.

Trying to use a rule like:
Code:
iptables -A OUTPUT -m owner --cmd-owner foo -j DROP

gives only this result:
Code:
ipt_owner: pid, sid and command matching not supported anymore
iptables: Invalid argument


Unfortunately user id and group id don't give the granularity I could achieve with the name of the process. For example when a parent process starts children processes with the same uid and gid, but different names.

So I would like to ask if anybody knows a way to block (or allow) network access only for specific processes, using their names as a discriminant.
Top
   
Reply with quote  
SteveG
 Post subject:
PostPosted: Mon Feb 25, 2008 7:13 pm 
Offline
Senior Member

Joined: Sun Nov 30, 2003 2:28 pm
Posts: 245
SELInux? Probably more effort than you want to go to, though.

_________________
The irony is that Bill Gates claims to be making a stable operating system and Linus Torvalds claims to be trying to take over the world.
-- seen on the net
Top
   
Reply with quote  
rhashimoto
 Post subject:
PostPosted: Mon Feb 25, 2008 9:00 pm 
Offline
Senior Member

Joined: Wed Aug 13, 2003 10:24 am
Posts: 55
Can/are the processes in question be built against libwrap?
Top
   
Reply with quote  
jvm
 Post subject:
PostPosted: Tue Feb 26, 2008 11:31 am 
Offline
Senior Newbie

Joined: Wed Dec 26, 2007 11:40 am
Posts: 10
Thanks for your feedback.

Unfortunately I'm trying to restrict precompiled binaries whose sources aren't available and indeed SELInux is too much for me to manage.

Still I could obtain the desired result by starting the processes I want to restrict with sudo, using a system account created for this purpose, and then deploying iptables rules that match the user id.

It surely isn't an elegant solution but still allows me to block processes easily. I should have thought about it earlier.
However I hope the option to restrict processes by name will come back in the future since with my current solution I still can't block only the parent process or the children. Fortunately I don't need this behaviour anymore so I can cope with the current limitations.
Thanks again for your suggestions, I'll keep them in mind if I bump again into similar issues.
Top
   
Reply with quote  
jdlspeedy
 Post subject:
PostPosted: Tue Feb 26, 2008 3:07 pm 
Offline
Senior Newbie

Joined: Thu Jan 31, 2008 8:25 pm
Posts: 6
Quote:
--pid-owner processid
Matches if the packet was created by a process with the given process id.

--sid-owner sessionid
Matches if the packet was created by a process in the given session group.

--cmd-owner name
Matches if the packet was created by a process with the given command name. (this option is present only if ipta-
bles was compiled under a kernel supporting this feature)

NOTE: pid, sid and command matching are broken on SMP


Try it with --uid-owner (uid)
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking


Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group