Hi, i'm using slackware ~13, with iptables v1.4.7 and I thought the owner module was built in the kernel, but it is not (is now already deprecated? does that mean the ! in the manual?). I want to prevent internet access for a user, or at least, some apps I will be running under that account. How can this be done? thanks in advance!

Dån

Not that I'm aware of. Should be /lib/modules/${VERSION}/kernel/net/netfilter/*owner*.ko.


No, that's for negation.


Since you haven't given any reason why you would be doing that I'll just list possibilities regardless of invasiveness, feasibility, etc, etc:
- block outbound --syn and --state NEW connections if specific ports are used,
- LD_PRELOAD a wrapper that intercepts network-related system calls,
- run the application inside a network-restricted LXC or VM,
- use a MAC that can govern network access like GRSecurity.

I had compiled my kernel without the netfilter owner module, didn't see NETFILTER_ADVANCED had to be selected for the additional filters to be shown in xconfig (and compiled it a year ago, when I didn't need iptables, also)

You are right, at first sight I thought the options were negated like "--option ! <param>" instead of "! --option <param>" and the notation in the manual confused me.

I want to allow network access for the rest of the users in the same ports

That would work, I didn't knew that

That would also work, but I prefer not to use a VM

Very interesting, I will take a look at that.


I am compiling the kernel again, this time with the filters (I had searched the kernel config for the netfilter options but couldn't see them, thought they were deprecated... dumb me). I will try iptables again, or go with one of the alternatives you gave. Thanks a lot for your help!

Dån