I think there is no iptables/pf solution to only allow an XY application on e.g.: outbound tcp port 80, eth0. So if I have a userid: “500” then how could I block any other communications then the mentioned on port 80/outbound/tcp/eth0? (e.g.: just privoxy is using port 80 on eth0)
Extra: virtualbox uses port 80 too? when a browser on the guest os visits a site..how to declaire that? – setting the normal user would be too much hole
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
here’s the iptables command to allow for a certain uid through a certain port.
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner username -j ACCEPT
from the man page
[!] –uid-owner userid[-userid]
Matches if the packet socket’s file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.
as far as virtualbox.. I believe it runs its own kernel… so you might want to use the --uid-owner of virtualbox on the host OS, but then have a --uid-owner owner rule on the virtual machine as well.
It might also be useful to note that --gid-owner also exists, and you could create a group browser and sgid your browser apps so it runs with an effective group browser and then only put users who you want to have browsing in that group… this would not be a perfect solution… but most of the users wouldn’t try to run any other apps as that group, thus generally restricting the outbound to that application I believe. I haven’t tried this, so I’m not 100% that it would work as I’ve described.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0