LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-13-2009, 08:28 AM   #1
vansteen
LQ Newbie
 
Registered: Jul 2008
Posts: 7

Rep: Reputation: 0
How to allow/block application-specific outbound traffic?


Dear Forum,

I have a local - application - that requires access to a certain DNS server. So I want to allow this. However, I want to prevent all other - local - applications from accessing the same DNS server.

How can I establish this on Linux - Debian??

Thanks in advance!
 
Old 08-13-2009, 08:38 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Quote:
Originally Posted by vansteen View Post
requires access to a certain DNS server.
Heh. Sounds ominous ;-p Add -j DROP rules for target, then check '/sbin/iptables -m owner --help' for ways to "anchor" -j ACCEPT rules to a UID / GID / PID / command?
 
Old 08-13-2009, 08:42 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
you'd use the --cmd-owner option in the owner module, but this is very dependent on the build of the kernel you're running, and many need a tweak and recompile to get the hook working - I don't think it's it's my Fedora 11 kernel. check the owner module here: http://iptables-tutorial.frozentux.n.../iptables.html

Last edited by acid_kewpie; 08-13-2009 at 08:43 AM.
 
Old 08-13-2009, 08:43 AM   #4
vansteen
LQ Newbie
 
Registered: Jul 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Heh. Sounds ominous ;-p Add -j DROP rules for target, then check '/sbin/iptables -m owner --help' for ways to "anchor" -j ACCEPT rules to a UID / GID / PID / command?
Thank you! Exactly what I was looking for!
 
Old 08-13-2009, 08:58 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Do note the remarks posted 4 minutes later though. If it ain't working there's other ways but it'll require a wee bit more work. I'm also curious why only this application should be allowed to access "a certain DNS server" but I prolly better not ask.
 
Old 08-13-2009, 09:49 AM   #6
vansteen
LQ Newbie
 
Registered: Jul 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
you'd use the --cmd-owner option in the owner module, but this is very dependent on the build of the kernel you're running, and many need a tweak and recompile to get the hook working - I don't think it's it's my Fedora 11 kernel. check the owner module here: http://iptables-tutorial.frozentux.n.../iptables.html
Thanks! "-owner --cmd-owner" is not available in Debian either. However, "-owner --uid-owner" seems to solve the problem too.
 
Old 08-13-2009, 09:56 AM   #7
vansteen
LQ Newbie
 
Registered: Jul 2008
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Do note the remarks posted 4 minutes later though. If it ain't working there's other ways but it'll require a wee bit more work. I'm also curious why only this application should be allowed to access "a certain DNS server" but I prolly better not ask.
The DNS-server provides VPN-specific information. The other applications are not supposed to access the VPN.
 
Old 08-13-2009, 10:56 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,671
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
Thanks. I was hoping for something ominous or with more entertainment value but unfortunately it turns out to be all good, trustworthy default GNU/Linux stuff... Bummer ;-p
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re-routing outbound traffic jessicaK Linux - Networking 7 10-14-2008 04:25 PM
Blocking specific outbound traffic - iptables mistersnorfles Linux - Security 5 08-08-2007 03:14 PM
shaping outbound traffic to different NICS jasongroves Linux - Networking 1 04-13-2006 09:23 PM
Excessive Outbound Traffic chandramani Linux - Security 1 01-29-2006 12:03 PM
Spike in outbound traffic- where to look? htmlcoder Linux - Security 3 03-19-2005 04:13 PM


All times are GMT -5. The time now is 08:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration