| View previous topic :: View next topic |
| Author |
Message |
satanskin
Guru
Joined: 25 Apr 2005
Posts: 353
|
 Posted: Tue Jan 03, 2006 11:43 pm Post subject: Iptables to block on application level |
 |
|
| Could someone help me or tell me how to write an iptable rule to block an entire application from using the net? For example, if i were to want to block firefox completely from using the net at all (including local network as well) how could I do that? Please don't tell me to just block port 80 or any other ports. I'm trying to block on the application level. Thank you. |
|
| Back to top |
|
 |
kamikaze04
Guru
Joined: 28 Mar 2004
Posts: 366
Location: Valencia-Spain
|
| Posted: Wed Jan 04, 2006 12:23 am Post subject: |
|
|
You should have looked at google with "iptables block application" you would have found it in the first page for sure...
What you are looking for is using "iptables/netfilter"
Have fun
_________________
Todo lo que quisiste saber sobre google en: www.noticiasgoogle.es |
|
| Back to top |
|
|
desultory
Bodhisattva
Joined: 04 Nov 2005
Posts: 9410
|
| Posted: Wed Jan 04, 2006 1:08 am Post subject: |
|
|
Like this:
| Code: | | iptables -I OUTPUT -m owner --cmd-owner firefox -j DROP |
Note that according to the man page this is broken on SMP. |
|
| Back to top |
|
|
satanskin
Guru
Joined: 25 Apr 2005
Posts: 353
|
| Posted: Wed Jan 04, 2006 4:46 am Post subject: |
|
|
| now does the owner have to be specific name? I mean, how exactly would i find the "owner" name to use. For example, how do i know to use firefox, or mozilla, or mozilla-firefox, or deer park, etc.? Is there a way to find what comes across as the owner string? |
|
| Back to top |
|
|
slycordinator
Advocate
Joined: 31 Jan 2004
Posts: 3065
Location: Korea
|
| Posted: Wed Jan 04, 2006 4:53 am Post subject: |
|
|
| satanskin wrote: | | now does the owner have to be specific name? I mean, how exactly would i find the "owner" name to use. For example, how do i know to use firefox, or mozilla, or mozilla-firefox, or deer park, etc.? Is there a way to find what comes across as the owner string? |
A quick google search indicates it's the actual program name as in the name of the executable being run.
Like "deer park" would NOT be a correct one because even when you have "deer park" installed you don't have an executable named that. |
|
| Back to top |
|
|
satanskin
Guru
Joined: 25 Apr 2005
Posts: 353
|
| Posted: Wed Jan 04, 2006 6:02 am Post subject: |
|
|
| desultory wrote: | Like this:
| Code: | | iptables -I OUTPUT -m owner --cmd-owner firefox -j DROP |
Note that according to the man page this is broken on SMP. |
That command gives me the following in return:
| Code: | thor satanskin # iptables -I OUTPUT -m owner --cmd-owner firefox -j LOG
iptables: Invalid argument
thor satanskin # iptables -I OUTPUT -m owner --cmd-owner firefox -j DROP
iptables: Invalid argument
|
And I can't find anything on google so far about iptables and --cmd-owner |
|
| Back to top |
|
|
slycordinator
Advocate
Joined: 31 Jan 2004
Posts: 3065
Location: Korea
|
|
| Back to top |
|
|
desultory
Bodhisattva
Joined: 04 Nov 2005
Posts: 9410
|
| Posted: Wed Jan 04, 2006 4:32 pm Post subject: |
|
|
It looks as though your kernel lacks owner match support, install one that includes it.
The option to enable in your kernel configuration is located under 'Networking --->' -> 'Networking Options --->' -> 'Network packet filtering (replaces ipchains)' -> 'IP: Netfilter Configuration' as 'Owner match support'. |
|
| Back to top |
|
|
satanskin
Guru
Joined: 25 Apr 2005
Posts: 353
|
| Posted: Wed Jan 04, 2006 8:53 pm Post subject: |
|
|
| desultory wrote: | It looks as though your kernel lacks owner match support, install one that includes it.
The option to enable in your kernel configuration is located under 'Networking --->' -> 'Networking Options --->' -> 'Network packet filtering (replaces ipchains)' -> 'IP: Netfilter Configuration' as 'Owner match support'. |
It's builtin already.
EDIT: I'm pretty sure it is the --cmd-owner part that it is screwing up on. |
|
| Back to top |
|
|
jamapii
l33t
Joined: 16 Sep 2004
Posts: 637
|
|
| Back to top |
|
|
satanskin
Guru
Joined: 25 Apr 2005
Posts: 353
|
| Posted: Thu Jan 05, 2006 4:46 am Post subject: |
|
|
alright, i'm an idiot and I should have checked this earlier. But checking /var/log/messages shows this when trying to run that command:
| Code: | | Jan 4 22:44:05 thor ipt_owner: pid, sid and command matching not supported anymore |
So what's one suppose to do now!? This is a step in the wrong direction guys! |
|
| Back to top |
|
|
desultory
Bodhisattva
Joined: 04 Nov 2005
Posts: 9410
|
| Posted: Thu Jan 05, 2006 6:11 pm Post subject: |
|
|
| Take another step in the wrong direction: downgrade to a supporting kernel, or port the old support into a new kernel (just avoid using that kernel with SMP). |
|
| Back to top |
|
|
|
Networking & Security
