Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The owner match extension is used to match packets based on the identity of the process that created them. The owner can be specified as the process ID either of the user who issued the command in question, that of the group, the process, the session, or that of the command itself. This extension was originally written as an example of what iptables could be used for. The owner match only works within the OUTPUT chain, for obvious reasons: It is pretty much impossible to find out any information about the identity of the instance that sent a packet from the other end, or where there is an intermediate hop to the real destination. Even within the OUTPUT chain it is not very reliable, since certain packets may not have an owner. Notorious packets of that sort are (among other things) the different ICMP responses. ICMP responses will never match.
Table 10-24. Owner match options
Match --cmd-owner
Kernel 2.3, 2.4, 2.5 and 2.6
Example iptables -A OUTPUT -m owner --cmd-owner httpd
Explanation
This is the command owner match, and is used to match based on the command name of the process that is sending the packet. In the example, httpd is matched. This match may also be inverted by using an exclamation sign, for example -m owner ! --cmd-owner ssh.
I tried to add a rule for my torrent client with
Code:
iptables -A OUTPUT -m owner --cmd-owner transmission -j ACCEPT
However, iptables kicks it back with
Code:
iptables v1.4.4: unknown option `--cmd-owner'
Try `iptables -h' or 'iptables --help' for more information.
The mode isnt even referenced in the iptables man on my system. Am I missing something?
Ok, so I guess that iptables connection tracking by process has been broken since kernel 2.0.0 ( SMP ) . I want to set up some rules based on the command-name. Any ideas on how I can do this?
can anyone give some advice on setting up rules in iptables based on the owning PROCESS rather than the process-OWNER? I would like to allow traffic based on the command. Since -m owner --cmd-owner has been broken since the release of the SMP kernels what can i do?
replacement for -m owner --cmd-owner in iptables??
Is anyone found a way to allow / disallow traffic based on PID or command name since -m owner --cmd-owner is currently broken since kernel release 2.0 ?? I see that i can build rules based on user and group ID. However, I have been unable to figure out a way to build rules based on PID / command.
Could really use some input. I have seen dynamic rule scripts which are not really what I need to do. Is it possible to do this with out needing a "10 pound hammer" ( i.e: using iptables only):?
I could really use the help. At this point i have only been able to find reference to automated rule generation based on user or port. USER based would be to wide open and PORT would cause such a pain to the logs.
I've been looking for this functionality for years and I've never run across it. I just found out about the --cmd-owner IPTables option, so I guess my searches have been poor. But that doesn't work with Xbuntu 9 or Ubuntu 10, so what's the answer? There are several firewalls that work at the app level on Windows - heck even the built Win7 firewall does - and there's a really nice one for iOS (FirewallIP). Surely, oh surely there must be something in Linux that lets you set networking permissions on a per-program basis.
the closest I came to finding a way to do this was with L-7 User Space. YOu can read up on it here. Still wasnt what I needed. Then again, my jedi skills are lacking and it may be the fix.
the closest I came to finding a way to do this was with L-7 User Space. YOu can read up on it here. Still wasnt what I needed. Then again, my jedi skills are lacking and it may be the fix.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.