LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How to allow/block application-specific outbound traffic? (http://www.linuxquestions.org/questions/linux-networking-3/how-to-allow-block-application-specific-outbound-traffic-747260/)

vansteen 08-13-2009 07:28 AM

How to allow/block application-specific outbound traffic?
 
Dear Forum,

I have a local - application - that requires access to a certain DNS server. So I want to allow this. However, I want to prevent all other - local - applications from accessing the same DNS server.

How can I establish this on Linux - Debian??

Thanks in advance!

unSpawn 08-13-2009 07:38 AM

Quote:

Originally Posted by vansteen (Post 3641778)
requires access to a certain DNS server.

Heh. Sounds ominous ;-p Add -j DROP rules for target, then check '/sbin/iptables -m owner --help' for ways to "anchor" -j ACCEPT rules to a UID / GID / PID / command?

acid_kewpie 08-13-2009 07:42 AM

you'd use the --cmd-owner option in the owner module, but this is very dependent on the build of the kernel you're running, and many need a tweak and recompile to get the hook working - I don't think it's it's my Fedora 11 kernel. check the owner module here: http://iptables-tutorial.frozentux.n.../iptables.html

vansteen 08-13-2009 07:43 AM

Quote:

Originally Posted by unSpawn (Post 3641784)
Heh. Sounds ominous ;-p Add -j DROP rules for target, then check '/sbin/iptables -m owner --help' for ways to "anchor" -j ACCEPT rules to a UID / GID / PID / command?

Thank you! Exactly what I was looking for!

unSpawn 08-13-2009 07:58 AM

Do note the remarks posted 4 minutes later though. If it ain't working there's other ways but it'll require a wee bit more work. I'm also curious why only this application should be allowed to access "a certain DNS server" but I prolly better not ask.

vansteen 08-13-2009 08:49 AM

Quote:

Originally Posted by acid_kewpie (Post 3641788)
you'd use the --cmd-owner option in the owner module, but this is very dependent on the build of the kernel you're running, and many need a tweak and recompile to get the hook working - I don't think it's it's my Fedora 11 kernel. check the owner module here: http://iptables-tutorial.frozentux.n.../iptables.html

Thanks! "-owner --cmd-owner" is not available in Debian either. However, "-owner --uid-owner" seems to solve the problem too.

vansteen 08-13-2009 08:56 AM

Quote:

Originally Posted by unSpawn (Post 3641805)
Do note the remarks posted 4 minutes later though. If it ain't working there's other ways but it'll require a wee bit more work. I'm also curious why only this application should be allowed to access "a certain DNS server" but I prolly better not ask.

The DNS-server provides VPN-specific information. The other applications are not supposed to access the VPN.

unSpawn 08-13-2009 09:56 AM

Thanks. I was hoping for something ominous or with more entertainment value but unfortunately it turns out to be all good, trustworthy default GNU/Linux stuff... Bummer ;-p


All times are GMT -5. The time now is 07:06 PM.