On 14/08/2020 01:03, Alexey Mishustin wrote: > groupadd noinet > usermod -a -G noinet <your_user> > iptables -A OUTPUT -i <some_interface> -m owner --gid-owner noinet -j DROP > and calling not > Plex > but > sg noinet Plex > (or whatever name the binary has)
This is a very elegant generic solution, thank you for sharing. I had completely forgotten the fact that filtering can be done based on UID/GID. For the sake of completeness, here's the equivalent nftables solution for those, such as myself, who may have migrated (exclusively) to nft: table inet filter { chain output { type filter hook output priority filter; policy accept; meta skgid "noinet" oifname "<some_interface>" drop } } and in command line form: (1) nft add table inet filter (2) nft add chain inet filter output { type filter hook output priority 0\; } (3) nft add rule inet filter output meta skgid noinet oifname <some_interace> drop The first two are, of course, only relevant if there is no existing table and chain that one can already use. If such exist, simply use (3) and substitute names as appropriate. Regards, - V
signature.asc
Description: OpenPGP digital signature