I think there is no iptables/pf solution to only allow an XY application on e.g.: outbound tcp port 80, eth0. So if I have a userid: "500" then how could I block any other communications then the mentioned on port 80/outbound/tcp/eth0? (e.g.: just privoxy is using port 80 on eth0)
Extra: virtualbox uses port 80 too? when a browser on the guest os visits a site..how to declaire that? – setting the normal user would be too much hole
Best Answer
here's the
iptables
command to allow for a certainuid
through a certain port.from the man page
as far as virtualbox.. I believe it runs its own kernel... so you might want to use the
--uid-owner
of virtualbox on the host OS, but then have a--uid-owner
owner rule on the virtual machine as well.It might also be useful to note that
--gid-owner
also exists, and you could create a groupbrowser
andsgid
your browser apps so it runs with an effective groupbrowser
and then only put users who you want to have browsing in that group... this would not be a perfect solution... but most of the users wouldn't try to run any other apps as that group, thus generally restricting the outbound to that application I believe. I haven't tried this, so I'm not 100% that it would work as I've described.