iptables/pf rule to only allow XY application/user?

Question

I think there is no iptables/pf solution to only allow an XY application on e.g.: outbound tcp port 80, eth0. So if I have a userid: "500" then how could I block any other communications then the mentioned on port 80/outbound/tcp/eth0? (e.g.: just privoxy is using port 80 on eth0)

Extra: virtualbox uses port 80 too? when a browser on the guest os visits a site..how to declaire that? - setting the normal user would be too much hole

Answer 1

here's the iptables command to allow for a certain uid through a certain port.

iptables -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner username -j ACCEPT 

from the man page

[!] --uid-owner userid[-userid] Matches if the packet socket’s file structure (if it has one) is owned by the given user. You may also specify a numerical UID, or an UID range.

as far as virtualbox.. I believe it runs its own kernel... so you might want to use the --uid-owner of virtualbox on the host OS, but then have a --uid-owner owner rule on the virtual machine as well.

It might also be useful to note that --gid-owner also exists, and you could create a group browser and sgid your browser apps so it runs with an effective group browser and then only put users who you want to have browsing in that group... this would not be a perfect solution... but most of the users wouldn't try to run any other apps as that group, thus generally restricting the outbound to that application I believe. I haven't tried this, so I'm not 100% that it would work as I've described.