| 1 |
On 2020-08-14, Alexey Mishustin <shumkar@×××××××.ru> wrote: |
| 2 |
|
| 3 |
> Isn't this classic option suitable? |
| 4 |
> |
| 5 |
> groupadd noinet |
| 6 |
> usermod -a -G noinet <your_user> |
| 7 |
> iptables -A OUTPUT -i <some_interface> -m owner --gid-owner noinet -j DROP |
| 8 |
> and calling not |
| 9 |
> Plex |
| 10 |
> but |
| 11 |
> sg noinet Plex |
| 12 |
> (or whatever name the binary has) |
| 13 |
|
| 14 |
Thanks for the suggestion! |
| 15 |
|
| 16 |
[For posterity's sake, with -A Output it's -o <interface> rather than |
| 17 |
-i <interface>] |
| 18 |
|
| 19 |
Yes, I think that should work. I had forgotten (or never knew?) that |
| 20 |
iptables rules could trigger on the uid or gid of the process that |
| 21 |
sent the packet. The Plex media server already runs in its own |
| 22 |
user/group -- something I should have mentioned in my original post, |
| 23 |
since it means that "from a user" instead of "from an application" |
| 24 |
would also work. My original post also said I was trying to hide an |
| 25 |
interface, when all I really needed was to prevent sending of packets |
| 26 |
on that interface. |
| 27 |
|
| 28 |
I think this should work, but I need to rebuild my kernel with the |
| 29 |
iptables "owner" extension enabled: |
| 30 |
|
| 31 |
iptables -A OUTPUT -o <interface> -m owner --uid-owner plex -j DROP |
| 32 |
|
| 33 |
I was just about to start experimenting with ipvlan and network |
| 34 |
namespaces, but an iptables rule triggering on uid looks much much |
| 35 |
easier. |
| 36 |
|
| 37 |
-- |
| 38 |
Grant |
Archives