How to prevent an application from connecting to a network with iptables?

Question

I have read the manual page of iptables in terminal, but it has complicated syntax and I don't fully understand how to use options like: user, user ID, UUID and so on.

Suppose my username is foobar and I want to prevent an application from connecting to any kind of network. How do I do this?

score 1 · Answer 1 · edited Apr 13 '17 at 12:36

You can block all traffic for a user BLOCKUSER using the owner iptables module.

iptables -I INPUT -m owner --uid-owner BLOCKUSER -j REJECT
iptables -I OUTPUT -m owner --uid-owner BLOCKUSER -j REJECT

You can also use the DROP target instead of REJECT but this would only extend cause delays due to timeouts (see here for more discussion).

It could also be convenient/necessary to allow access to the loopback device:

iptables -I INPUT  -m owner --uid-owner BLOCKUSER ! -i lo -j REJECT
iptables -I OUTPUT -m owner --uid-owner BLOCKUSER ! -o lo -j REJECT

About your questions:

user is the username which you use to login and output of the whoami command.
UID is the numerical user ID (most time you can simply use the username instead of the UID, you can display it with the id command).
UUID is a Universally unique identifier and not directly used in iptables. (--uuid-owner is a typo)

The owner match is only available for the OUTPUT and POSTROUTING chain! See man iptables-extensions for details! — Robidu, Apr 04 '21 at 22:56

How to prevent an application from connecting to a network with iptables?

1 Answers1