Application-based packet filtering on Linux

iptables can’t filter on process ID or any other “direct” application identifier, which means you can’t say things like, “Allow only Firefox to send/receive any packets.” However, it can filter on user/group ID, allowing you to do user-based packet filtering, so that you can at least restrict applications if you run them as a certain uid/gid. The owner module (xt_owner) matches the owner of the socket (man iptables for more details).

# iptables -m owner --help
iptables v1.4.4
[...]
owner match options:
[!] --uid-owner userid[-userid]      Match local UID
[!] --gid-owner groupid[-groupid]    Match local GID
[!] --socket-exists                  Match if socket exists

Of course, this all applies only to local sockets; if this system is serving as a router for other hosts, then you don’t have the uid/gid information for their sockets (if their OS even has those notions).

Follow me on Twitter for stuff far more interesting than what I blog.

  • Neha Narula

    what about CLONE_NEWNET?

  • Neha Narula

    what about CLONE_NEWNET?

  • Thanks, I didn’t know about network namespaces; looks like another way to get at per-application packet filtering. I’m glad you work on Native Client. 🙂

  • Thanks, I didn’t know about network namespaces; looks like another way to get at per-application packet filtering. I’m glad you work on Native Client. 🙂