Results 1 to 7 of 7
Hi
iptables-problem:
How can I open a certain port (say 80) for a certain program only (say Mozilla Firefox)? So that other programs (e.g. Konqueror) are not able to use ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 08-14-2005 #1Just Joined!
- Join Date
- Aug 2005
- Posts
- 1
iptables - Opening a port for a certain application only
Hi
iptables-problem:
How can I open a certain port (say 80) for a certain program only (say Mozilla Firefox)? So that other programs (e.g. Konqueror) are not able to use this port.
sth like:
iptables -A OUTPUT -program ! "Mozilla Firefox" --sport 80 -j DROP
thx xadian
- 08-14-2005 #2Linux Engineer
- Join Date
- Apr 2005
- Location
- Belgium
- Posts
- 1,429
I don't think that is possible...
** Registered Linux User # 393717 and proud of it
** Check out www.zenwalk.org
** Zenwalk 2.8 - Xfce 4.4 beta 2- 2.6.17.6 kernel = Slack on steroids! **
- 08-25-2005 #3Just Joined!
- Join Date
- Aug 2005
- Location
- Ukraine (Little Russia, xUSSR)
- Posts
- 6
It is possible at least in FC3 :)
You have to add to OUTPUT
-m owner --cmd-owner "/path/to/application"
man iptables
owner
This module attempts to match various characteristics of the packet
creator, for locally-generated packets. It is only valid in the OUTPUT
chain, and even this some packets (such as ICMP ping responses) may
have no owner, and hence never match.
--uid-owner userid
Matches if the packet was created by a process with the given
effective user id.
--gid-owner groupid
Matches if the packet was created by a process with the given
effective group id.
--pid-owner processid
Matches if the packet was created by a process with the given
process id.
--sid-owner sessionid
Matches if the packet was created by a process in the given ses-
sion group.
--cmd-owner name
Matches if the packet was created by a process with the given
command name. (this option is present only if iptables was com-
piled under a kernel supporting this feature)
- 08-25-2005 #4Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
This is missing an important point. The outgoing web browser (i.e. client which attaches to web servers all over the world) does not even use port 80. It uses high-numbered ports. Many web servers use port 80, not clients.
Blocking outgoing port 80 does you no good.
- 08-25-2005 #5Just Joined!
- Join Date
- Aug 2005
- Location
- Ukraine (Little Russia, xUSSR)
- Posts
- 6
Yes, shure. Only
Originally Posted by anomie
-m owner --cmd-owner "appname"
flags useful in this case.
- 08-25-2005 #6Linux Guru
- Join Date
- Mar 2005
- Location
- Texas
- Posts
- 1,692
(I wasn't making the point to you.)
- 08-26-2005 #7Super Moderator
- Join Date
- Aug 2005
- Location
- Nottingham, England
- Posts
- 3,620
Wouldn't it be easier to just uninstall the applications you dont want people to use?
Linux user #126863 - see http://linuxcounter.net/
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
