Owner match:
The owner match extension is used to match packets based on the identity of the process that created them. The owner can be specified as the process ID either of the user who issued the command in question, that of the group, the process, the session, or that of the command itself. The owner match only works within the OUTPUT chain, for obvious reasons: This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.
Iptables' owner match extension adds four match criteria to the iptables command:
-- uid-owner UID: matches packets generated by a process whose user ID is UID
-- gid-owner GID: matches packets generated by a process whose group ID is GID.
-- pid-owner PID: matches packets generated by a process whose process ID is PID.
-- sid-owner SID: matches packets generated by a process whose session ID is SID.
To load this module, use the modprobe command: modprobe ipt_owner
General syntax:
-m owner --uid-owner 0
-m owner --uid-owner root
-m owner --gid-owner net
Example - by user (assuming a user name = nikesh)
iptables -A OUTPUT -o lo -j ACCEPTExample - by group (assuming a group name = other)
iptables -A OUTPUT -o eth0 -m owner --uid-owner nikesh -j ACCEPT
iptables -A OUTPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m owner --gid-owner other -j ACCEPT
iptables -A OUTPUT -j DROP
0 comments:
Post a Comment