Linux 为每个进程/服务创建 iptables 规则
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4314163/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
create iptables rule per process/service
提问by cateof
is it possible to use iptables in order to permit traffic initiated by a "process", ie using the process name? I would like for example to allow everything that is initiated by ping command.
是否可以使用 iptables 来允许由“进程”发起的流量,即使用进程名称?例如,我想允许由 ping 命令启动的所有内容。
采纳答案by barti_ddu
It looks like the owneriptables module is that what you want. First, check if it's available in Your system:
看起来所有者iptables 模块正是您想要的。首先,检查它是否在您的系统中可用:
iptables -m owner --help
You can read more here: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#OWNERMATCH
您可以在此处阅读更多信息:http: //www.frozentux.net/iptables-tutorial/iptables-tutorial.html#OWNERMATCH
回答by Michael D.
-m owner --pid-owner PID
See http://linuxpoison.blogspot.com/2010/11/how-to-limit-network-access-by-user.htmland http://linux.die.net/man/8/iptables
见http://linuxpoison.blogspot.com/2010/11/how-to-limit-network-access-by-user.html和http://linux.die.net/man/8/iptables
Note that you need the ipt_owner module, as --pid-owner is not supported by xt_owner.
请注意,您需要 ipt_owner 模块,因为 xt_owner 不支持 --pid-owner。
For example (this is just an approximation)
例如(这只是一个近似值)
#!/bin/bash
$@ &
iptables -m owner --pid-owner %1 -j REJECT
In reality, though, you're better off using --uid-owner and --gid-owner. First, the --pid-owner criterion only matches the exact pid, meaning your program could easily spawn a child process which would not be blocked by this rule. (At least I haven't read otherwise.) Secondly, iptables(8) warns that --pid-owner is broken on SMP systems (which may or may not apply to you, but in either case limits portability). Third, there is a race condition in the script above, because the process is started before it is blocked. (If there is a way to get a process's pid before it starts, then I've never heard about it.)
但实际上,最好使用 --uid-owner 和 --gid-owner。首先, --pid-owner 标准只匹配确切的 pid,这意味着您的程序可以轻松生成一个不会被此规则阻止的子进程。(至少我没有读过其他内容。)其次,iptables(8) 警告 --pid-owner 在 SMP 系统上被破坏(这可能适用于您,也可能不适用于您,但在任何一种情况下都会限制可移植性)。第三,上面的脚本中存在竞争条件,因为进程在被阻塞之前就启动了。(如果有办法在进程启动之前获取进程的 pid,那么我从未听说过它。)
回答by dlundquist
If there is a way to get a process's pid before it starts, then I've never heard about it.
如果有一种方法可以在进程启动之前获取进程的 pid,那么我从未听说过它。
You could write a wrapper which forks first, then adds the rule and execs the process (assuming the program you're running doesn't fork again), since the PID is not changed by the exec(3) call.
您可以编写一个首先分叉的包装器,然后添加规则并执行进程(假设您正在运行的程序不会再次分叉),因为 exec(3) 调用不会更改 PID。
/* NOTE this contains zero error checking */
int main(int argc, char **argv) {
/* Eat argv[0] the name of the wrapper script */
argv++;
argc--;
pid_t my_pid = getpid();
char *iptables_cmd = NULL;
asprintf(&iptables_cmd, "/sbin/iptables -A INPUT -m owner --pid_owner %d -j ACCEPT", my_pid);
system(iptables_cmd);
execv(argv[0], argv);
}
