Re: block a program from access the Internet.

[Lars Noodén <lars.nooden@gmail.com>]

On 09.09.2013 14:58, ken wrote:
> On 09/09/2013 05:54 AM Lars Noodén wrote:
>> On 9/9/13 3:14 PM, atar wrote:> Thanks for replying!
>>>
>>> Unfortunately, when invoking the 'iptables' command with the arguments
>>> you've suggested, the program says:
>>>
>>>> iptables v1.4.14: unknown option "--cmd-owner"
>>>> Try `iptables -h' or 'iptables --help' for more information.
>>>
>>> Regards!
>>>
>>> atar.
>>>
>>>
>> My mistake.  It seems that the tutorial is way out of date.
>>
>> $ iptables -m owner --help
>> ...
>> owner match options:
>> [!] --uid-owner userid[-userid]        Match local UID
>> [!] --gid-owner groupid[-groupid]     Match local GID
>> [!] --socket-exists             Match if socket exists
>>
>> So it looks like cmd-owner is no longer used.  Apparmor or SELinux
>> mentioned by Claudius are the next things to try, though they are more
>> complex.
> 
> Hmmm.  I get this:
> 
> # iptables -V
> iptables v1.3.5
> # iptables -m owner --help
> ...
> OWNER match v1.3.5 options:
> [!] --uid-owner userid     Match local uid
> [!] --gid-owner groupid    Match local gid
> [!] --pid-owner processid  Match local pid
> [!] --sid-owner sessionid  Match local sid
> [!] --cmd-owner name       Match local command name
> NOTE: pid, sid and command matching are broken on SMP
> 
FWIW mine is also iptables 1.4.14,

$ lsb_release -rd
Description:	Debian GNU/Linux 7.0 (wheezy)
Release:	7.0

$ iptables -V
iptables v1.4.14

So somewhere between the 1.3.5 and 1.4.14, the capability disappeared

Regards,
/Lars