Quote:
Originally Posted by unSpawn
Not that I'm aware of. Should be /lib/modules/${VERSION}/kernel/net/netfilter/*owner*.ko.
|
I had compiled my kernel without the netfilter owner module, didn't see NETFILTER_ADVANCED had to be selected for the additional filters to be shown in xconfig (and compiled it a year ago, when I didn't need iptables, also)
Quote:
Originally Posted by unSpawn
No, that's for negation.
|
You are right, at first sight I thought the options were negated like "--option ! <param>" instead of "! --option <param>" and the notation in the manual confused me.
Quote:
Originally Posted by unSpawn
Since you haven't given any reason why you would be doing that I'll just list possibilities regardless of invasiveness, feasibility, etc, etc:
- block outbound --syn and --state NEW connections if specific ports are used,
|
I want to allow network access for the rest of the users in the same ports
Quote:
Originally Posted by unSpawn
- LD_PRELOAD a wrapper that intercepts network-related system calls,
|
That would work, I didn't knew that
Quote:
Originally Posted by unSpawn
- run the application inside a network-restricted LXC or VM,
|
That would also work, but I prefer not to use a VM
Quote:
Originally Posted by unSpawn
- use a MAC that can govern network access like GRSecurity.
|
Very interesting, I will take a look at that.
I am compiling the kernel again, this time with the filters (I had searched the kernel config for the netfilter options but couldn't see them, thought they were deprecated... dumb me). I will try iptables again, or go with one of the alternatives you gave. Thanks a lot for your help!
Dån