Firewall per process

Christos Ricudis ricudis at komodino.itc.auth.gr
Tue Nov 14 12:39:44 EET 2006 

Nikos Kanellopoulos wrote:
> Όσα HOWTO κλπ θυμάμαι για iptables, δείχνουν πώς μπορεί κανείς να 
> ορίσει κανόνες που αναφέρονται σε πρωτόκολλα, θύρες και IP διευθύνσεις.
>
> Υπάρχει κάποια επιλογή για να προσδιορίσει κανείς και αν το "τάδε 
> process",  θα έχει πρόσβαση στο Δίκτυο; Μπορεί να γίνει αυτό με 
> iptables ή απαιτείται κάτι άλλο; Κάποιο reference ;

Nai, ginetai, to 8ema einai pws prosdiorizeis to "tade" process.

   owner
       This module attempts to match various characteristics of the 
packet  cre-
       ator, for locally-generated packets. It is valid in the INPUT, 
OUTPUT and
       POSTROUTING chains, however in the INPUT chain only TCP and  UDP  
packets
       can be matched. Also note that some packets (such as ICMP ping 
responses)
       may have no owner, and hence never match.

       --uid-owner userid
              Matches if the packet was created by  a  process  with  
the  given
              effective user id.

       --gid-owner groupid
              Matches  if  the  packet  was  created by a process with 
the given
              effective group id.

       --pid-owner processid
              Matches if the packet was created by a process with the 
given pro-
              cess id.

       --sid-owner sessionid
              Matches  if  the packet was created by a process in the 
given ses-
              sion group.

       --cmd-owner name
              Matches if the packet was created by a process with the 
given com-
              mand  name.  (this option is present only if iptables was 
compiled
              under a kernel supporting this feature)

NOTE: pid, sid and command matching are broken on SMP

Ennoeitai bebaia oti an 8es na kaneis match PID, 8a prepei na to kaneis 
apo to idio to process (h ton parent tou) mia poy pi8anotata kaneis 
allos de mporei na einai sigouros gia to pid tou.


Mhpws uparxei kapoios kalyteros tropos na katafereis ayto poy 8eleis?




Allo endiaferon match (oxi oti perimenw na douleyei ikanopoihtika)

   geoip
       Match a packet by its source or destination country.

       [!] --src-cc, --source-country country[,country,country,...]
              Match packet coming from (one of) the specified country(ies)

       [!] --dst-cc, --destination-country country[,country,country,...]
              Match packet going to (one of) the specified country(ies)

       NOTE:  The country is inputed by its ISO3166 code.

       The only extra files you need is a binary db (geoipdb.bin)  &  
its  index
       file  (geoipdb.idx).  Both files are generated from a countries & 
subnets
       database with the csv2bin tool, available at 
www.cookinglinux.org/geoip/.
       Both  files  MUST  also  be moved in /var/geoip/ as the shared 
library is
       statically looking for that pathname (ex.: /var/geoip/geoipdb.bin).





-- 
Christos Ricudis				ricudis at itc.auth.gr
Systems Administrator				+30-2310-998656
IT Support Center
Aristotle University of Thessaloniki, GREECE

More information about the Linux-greek-users mailing list