I would like to know how can I filter the packets of a particular process using Iptable. I read the documentation but I am still confuse how to use --pid-owner processid option.
Asked
Active
Viewed 3,329 times
0
Gilles 'SO- stop being evil'
- 829,060
Corey
- 43
-
1Instead of fiddling with iptables, create a network namespace + veth pair, forward from the veth pair in the main namespace, put the process (or several processes) in the namespace, and snoop with wireshark etc. on the veth pair. Simple to setup, easy to use. – dirkt Aug 11 '17 at 14:49
-
What do you mean by “filter”? “block”? “capture”? – Scott - Слава Україні Aug 12 '17 at 05:08
1 Answers
5
Matching by PID got removed in 2005. If your documentation mentions pid/sid options, it is out of date.
You can however match by user/group for filtering out (drop) packages:
iptables -A OUTPUT -m owner --uid $USER -j DROP
and similarly for group using --gid option instead. Group is matched by process primary group.
Note that the rules are applied on first match, if you an earlier match for a rule subsequent rules won't be evaluated.
sebasth
- 14,872
-
Oh shoot!! :-( I really need to get traffic of one process, modify it and forward it to its original destination. @Sebasth or any one else has any suggestion to do this? – Corey Aug 11 '17 at 11:47
-
-
Is it possible to do this during runtime? I mean without logging out etc, just by running a command – Corey Aug 11 '17 at 11:50
-
@Corey For already running process I can't think of any obvious way. Setting up a network namespace and veth pair as dirkt suggested is a reasonable solution but I am not aware of a way to move existing process between namespaces. If you want further details about how to set up a network namespace a good article to get a quick overview: https://lwn.net/Articles/580893/ for – sebasth Aug 11 '17 at 16:04