Application firewalling with netfilter

Today I've stumbled upon a post from my friend Feth, asking whether allowing only firefox to access the internet was possible on Linux... Of course it is! Here's one of the many ways:

# setup the firewall
sudo iptables -F OUTPUT
sudo iptables -P OUTPUT REJECT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 80 --syn -m cgroup --cgroup 1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 --syn -m cgroup --cgroup 1 -j ACCEPT

# create a cgroup named firefox
sudo cgcreate -t $LOGNAME:users -a $LOGNAME:users -g net_cls:firefox
# allocate an identifier to the cgroup
echo 1 > /sys/fs/cgroup/net_cls/firefox/net_cls.classid

# run firefox
cgexec -g net_cls:firefox iceweasel &

The following commands might be useful to debug what's going on:

$ls -ld /sys/fs/cgroup/net_cls/firefox/
drwx------ 2 nextgens users 0 Jul 23 18:03 /sys/fs/cgroup/net_cls/firefox/
$cat /sys/fs/cgroup/net_cls/firefox/cgroup.procs

Attentive readers will notice that the above doesn't work for at least two reasons:

  • Distros don't ship a version of netfilter with cgroup support just yet
  • A browser without DNS resolution is only marginally useful ;)

Source

Note : je n'ai pas encore testé, et un point m'étonne : la classifications ne se fait que si on lance avec la commande cgexec ? dans ce cas qu'est ce qui empecherait de lancer Opera ainsi et de lui donner l'accès ???