19

I've been reading around but can't seem to find a way to create per-process firewall rules. I know about iptables --uid-owner but that only works for outgoing traffic. I've considered scripting netstat and iptables but this seems terribly inefficient since if a process is only active for a small time-frame the script might miss it. Basically I want to enforce specific restrictions regarding port and dst on a process while leaving other processes unaffected. Any ideas?

For reference selinux can do exactly this and it works fairly well. Setup is a bit of a pain though.

s3c
  • 370
  • 1
    Maybe LXC (Linux Containers) will do the trick? http://lxc.sourceforge.net/ – nsg Feb 21 '12 at 13:29
  • What is so difficult about selinux? Sure there is a bit of a learning curve, but there are great tools, both graphical and command line to assist with configuration. Support is available on IRC on #selinux as well as #fedora – Panther Dec 12 '13 at 21:59
  • have you tried using Douane instead? http://askubuntu.com/a/330259/46437 – Aquarius Power Oct 08 '14 at 04:51
  • The firewalld GUI for iptables allows you to do exactly that, and it's fairly easy to use. – BKilpat01 Sep 11 '16 at 09:02

4 Answers4

11

Your question is a very similar to https://stackoverflow.com/questions/5451206/linux-per-program-firewall-similar-to-windows-and-mac-counterparts

There was the --cmd-owner for iptables's owner module, but it was removed because it worked not properly. Now a first beta version of Leopard Flower is available, which solves the problem by a user space daemon.

In general a per-process firewall is not very useful unless you really isolate and restrict the programs. For this, you should look at security solutions like TOMOYO Linux, SELinux, AppArmor, grsecurity, SMACK,...

Community
  • 1
jofel
  • 26,758
3

Easy, run your process under different user and use '--uid-owner' :)

jirib
  • 1,168
  • 1
    That was my first thought as well but as I noted it doesn't work for listening processes. – s3c Feb 21 '12 at 13:13
  • What is exactly your intention? To be sure a specific owner/process has its own openports for incoming/outgoing connection? – jirib Feb 22 '12 at 08:18
  • The intent is to whitelist a program. Paranoia dictates that malicious apps could be remotely controlled or control the computer. It is a safeguard against simple automated attacks. – John Oct 15 '20 at 14:33
0

look at man 8 iptables-extensions and the "cgroup" option, which may allow filtering on sockets associated with a specific cgroup2 hierarchy. If you can get the specific process to run with a unique cgroup, this may work on both OUTPUT and INPUT chains; however the man pages give a caveat to using it with INPUT chains so definitely test and YMMV depending on the process/program.

devnulldad
  • 31
0

Although not (entirely) based on iptables, you could use this. It work on a per app basis, though it does have some other options.

Check out the wiki for installation and other troubleshooting.

Nordine Lotfi
  • 2,300