Find the answer to your Linux question:
Results 1 to 7 of 7
Hi iptables-problem: How can I open a certain port (say 80) for a certain program only (say Mozilla Firefox)? So that other programs (e.g. Konqueror) are not able to use ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2005
    Posts
    1

    iptables - Opening a port for a certain application only


    Hi

    iptables-problem:
    How can I open a certain port (say 80) for a certain program only (say Mozilla Firefox)? So that other programs (e.g. Konqueror) are not able to use this port.

    sth like:
    iptables -A OUTPUT -program ! "Mozilla Firefox" --sport 80 -j DROP

    thx xadian

  2. #2
    Linux Engineer
    Join Date
    Apr 2005
    Location
    Belgium
    Posts
    1,429
    I don't think that is possible...
    ** Registered Linux User # 393717 and proud of it ** Check out www.zenwalk.org
    ** Zenwalk 2.8 - Xfce 4.4 beta 2- 2.6.17.6 kernel = Slack on steroids! **

  3. #3
    Just Joined!
    Join Date
    Aug 2005
    Location
    Ukraine (Little Russia, xUSSR)
    Posts
    6

    It is possible at least in FC3 :)

    You have to add to OUTPUT

    -m owner --cmd-owner "/path/to/application"


    man iptables

    owner
    This module attempts to match various characteristics of the packet
    creator, for locally-generated packets. It is only valid in the OUTPUT
    chain, and even this some packets (such as ICMP ping responses) may
    have no owner, and hence never match.

    --uid-owner userid
    Matches if the packet was created by a process with the given
    effective user id.

    --gid-owner groupid
    Matches if the packet was created by a process with the given
    effective group id.

    --pid-owner processid
    Matches if the packet was created by a process with the given
    process id.

    --sid-owner sessionid
    Matches if the packet was created by a process in the given ses-
    sion group.

    --cmd-owner name
    Matches if the packet was created by a process with the given
    command name. (this option is present only if iptables was com-
    piled under a kernel supporting this feature)

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    This is missing an important point. The outgoing web browser (i.e. client which attaches to web servers all over the world) does not even use port 80. It uses high-numbered ports. Many web servers use port 80, not clients.

    Blocking outgoing port 80 does you no good.

  5. #5
    Just Joined!
    Join Date
    Aug 2005
    Location
    Ukraine (Little Russia, xUSSR)
    Posts
    6
    Quote Originally Posted by anomie
    This is missing an important point. The outgoing web browser (i.e. client which attaches to web servers all over the world) does not even use port 80. It uses high-numbered ports. Many web servers use port 80, not clients.

    Blocking outgoing port 80 does you no good.
    Yes, shure. Only

    -m owner --cmd-owner "appname"

    flags useful in this case.

  6. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    (I wasn't making the point to you.)

  7. #7
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,807
    Wouldn't it be easier to just uninstall the applications you dont want people to use?
    Linux user #126863 - see http://linuxcounter.net/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •