How to make per process firewall ?

Stephen Brennan stephen at brennan.io
Wed Apr 19 12:58:28 EDT 2017


> I would like to constrain process (by name) or group of process to specific
> network interface and to specific port.

This sounds like an excellent use-case for network namespaces [1]. They create
an entire virtualized network stack within the kernel. This includes everything
from network devices all the way up to firewall rules. You may create and
administer namespaces using ip-netns(8). Alternatively, you can simply create
a new one when you clone(2), by providing CLONE_NEWNET argument.

You can run commands that affect namespaces created by ip-netns(8) using
`ip netns exec`. If you didn't create a namespace with ip-netns, you can still
run commands within any process's namespace via the nsenter(1) command, provided
by util-linux. If you don't have that command (due to outdated util-linux), you
can implement your own in less than 20 lines of C using the setns(2) system
call. The manual page even provides a full implementation.

In summary, the easiest way, with ip-netns(8), would be:

    ip netns add blue

    ip netns exec blue iptables -nvL
    # an empty firewall

    ip netns exec blue ip link
    # just a loopback

    # You'll likely want to create a veth pair, add one end to the "blue" netns,
    # and then set up routes. You'll have a separate IP address within the
    # netns, but I don't believe there's any way around that.

    ip netns exec blue iptables -A # your rule here

    ip netns exec blue YOUR-PROGRAMS

Note that this is how Linux containers (e.g. Docker, LXC) work anyway, however,
they virtualize other components of the kernel too (filesystem, process IDs, and
much more). If all you want is to virtualize network resources, network
namespaces are a more direct way to do this than containers, which will
virtualize the rest as well.

ALTERNATIVE [2]:

You can apparently create iptables rules which match based on PID (not a great
idea) or by UID/GID (a much better idea). If the overhead of network namespaces
(veth pairs, new IPs, creating routes) is too much, you could create a user and
run your processes as this user. Then create iptables rules that match based on
the user. You do this with the "owner" module, and you can check whether it
exists on your system by running:

    iptables -m owner

[1]: https://lwn.net/Articles/580893/
[1]: also `man 7 namespaces`
[2]: http://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service




More information about the Kernelnewbies mailing list