How to make per process firewall ?

Stephen Brennan stephen at brennan.io
Thu Apr 20 13:54:36 EDT 2017


On Thu, Apr 20, 2017 at 10:31:33AM -0700, Joe Smith wrote:
> On Wed, Apr 19, 2017 at 9:58 AM, Stephen Brennan <stephen at brennan.io> wrote:
[snip]
> I understand the iptables solution. The namespace solution seems
> restrictive,

It depends on how you set it up. If you put your only network interface within
this namespace, then yes, it is a bit restrictive. But if you were to set up a
veth pair, put one end into the namespace and the other in your default
namespace, and then configure NAT so traffic from the veth gets routed out
properly, then everything would still share one IP address.

Yes, this is just as much work as it sounds like, so I can understand why it
doesn't sound like a good idea!

> it will exclusively allow the IP address to be used in
> the namespace that it is hosted in and there is no control over the
> port.

You can control the port using iptables within the namespace. At that point,
it's a simple firewall rule that says "drop any traffic that isn't on this
port". Since no other processes are in the namespace, it only affects the
processes you want to restrict.

> So if it is OK to dedicate an IP address to a namepsace than
> fine but it still does not solve the port issue and iptables will have
> to be used. So why not just use ipatbles ?

The iptables -m owner solution is much simpler, so yeah, probably just use that.
I came up with the network namespace solution because I've recently been doing
*a lot* of work using them. When all you have is a hammer, everything looks like
a nail!




More information about the Kernelnewbies mailing list