Re: block a program from access the Internet.
On 09.09.2013 14:58, ken wrote:
> On 09/09/2013 05:54 AM Lars Noodén wrote:
>> On 9/9/13 3:14 PM, atar wrote:> Thanks for replying!
>>>
>>> Unfortunately, when invoking the 'iptables' command with the arguments
>>> you've suggested, the program says:
>>>
>>>> iptables v1.4.14: unknown option "--cmd-owner"
>>>> Try `iptables -h' or 'iptables --help' for more information.
>>>
>>> Regards!
>>>
>>> atar.
>>>
>>>
>> My mistake. It seems that the tutorial is way out of date.
>>
>> $ iptables -m owner --help
>> ...
>> owner match options:
>> [!] --uid-owner userid[-userid] Match local UID
>> [!] --gid-owner groupid[-groupid] Match local GID
>> [!] --socket-exists Match if socket exists
>>
>> So it looks like cmd-owner is no longer used. Apparmor or SELinux
>> mentioned by Claudius are the next things to try, though they are more
>> complex.
>
> Hmmm. I get this:
>
> # iptables -V
> iptables v1.3.5
> # iptables -m owner --help
> ...
> OWNER match v1.3.5 options:
> [!] --uid-owner userid Match local uid
> [!] --gid-owner groupid Match local gid
> [!] --pid-owner processid Match local pid
> [!] --sid-owner sessionid Match local sid
> [!] --cmd-owner name Match local command name
> NOTE: pid, sid and command matching are broken on SMP
>
FWIW mine is also iptables 1.4.14,
$ lsb_release -rd
Description: Debian GNU/Linux 7.0 (wheezy)
Release: 7.0
$ iptables -V
iptables v1.4.14
So somewhere between the 1.3.5 and 1.4.14, the capability disappeared
Regards,
/Lars
Reply to: