How to make per process firewall ?

Joe Smith codesoldier1 at gmail.com
Thu Apr 20 13:31:33 EDT 2017


On Wed, Apr 19, 2017 at 9:58 AM, Stephen Brennan <stephen at brennan.io> wrote:
>> I would like to constrain process (by name) or group of process to specific
>> network interface and to specific port.
>
> This sounds like an excellent use-case for network namespaces [1]. They create
> an entire virtualized network stack within the kernel. This includes everything
> from network devices all the way up to firewall rules. You may create and
> administer namespaces using ip-netns(8). Alternatively, you can simply create
> a new one when you clone(2), by providing CLONE_NEWNET argument.
>
> You can run commands that affect namespaces created by ip-netns(8) using
> `ip netns exec`. If you didn't create a namespace with ip-netns, you can still
> run commands within any process's namespace via the nsenter(1) command, provided
> by util-linux. If you don't have that command (due to outdated util-linux), you
> can implement your own in less than 20 lines of C using the setns(2) system
> call. The manual page even provides a full implementation.
>
> In summary, the easiest way, with ip-netns(8), would be:
>
>     ip netns add blue
>
>     ip netns exec blue iptables -nvL
>     # an empty firewall
>
>     ip netns exec blue ip link
>     # just a loopback
>
>     # You'll likely want to create a veth pair, add one end to the "blue" netns,
>     # and then set up routes. You'll have a separate IP address within the
>     # netns, but I don't believe there's any way around that.
>
>     ip netns exec blue iptables -A # your rule here
>
>     ip netns exec blue YOUR-PROGRAMS
>
> Note that this is how Linux containers (e.g. Docker, LXC) work anyway, however,
> they virtualize other components of the kernel too (filesystem, process IDs, and
> much more). If all you want is to virtualize network resources, network
> namespaces are a more direct way to do this than containers, which will
> virtualize the rest as well.
>
> ALTERNATIVE [2]:
>
> You can apparently create iptables rules which match based on PID (not a great
> idea) or by UID/GID (a much better idea). If the overhead of network namespaces
> (veth pairs, new IPs, creating routes) is too much, you could create a user and
> run your processes as this user. Then create iptables rules that match based on
> the user. You do this with the "owner" module, and you can check whether it
> exists on your system by running:
>
>     iptables -m owner
>
> [1]: https://lwn.net/Articles/580893/
> [1]: also `man 7 namespaces`
> [2]: http://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service
>
>
> _______________________________________________
> Kernelnewbies mailing list
> Kernelnewbies at kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

I understand the iptables solution. The namespace solution seems
restrictive, it will exclusively allow the IP address to be used in
the namespace that it is hosted in and there is no control over the
port. So if it is OK to dedicate an IP address to a namepsace than
fine but it still does not solve the port issue and iptables will have
to be used. So why not just use ipatbles ?

-- 
JS



More information about the Kernelnewbies mailing list