On 14/08/2020 01:03, Alexey Mishustin wrote: > groupadd noinet > usermod -a -G noinet <your_user> > iptables -A OUTPUT -i <some_interface> -m owner --gid-owner noinet -j DROP > and calling not > Plex > but > sg noinet Plex > (or whatever name the binary has)
This is a very elegant generic solution, thank you for sharing. I had
completely forgotten the fact that filtering can be done based on UID/GID.
For the sake of completeness, here's the equivalent nftables solution
for those, such as myself, who may have migrated (exclusively) to nft:
table inet filter {
chain output {
type filter hook output priority filter; policy accept;
meta skgid "noinet" oifname "<some_interface>" drop
}
}
and in command line form:
(1) nft add table inet filter
(2) nft add chain inet filter output { type filter hook output
priority 0\; }
(3) nft add rule inet filter output meta skgid noinet oifname
<some_interace> drop
The first two are, of course, only relevant if there is no existing
table and chain that one can already use. If such exist, simply use (3)
and substitute names as appropriate.
Regards,
- V
signature.asc
Description: OpenPGP digital signature
