The "requested mask" is what the program wants.
yes, i have been mistaken.
I'm not sure what you mean by restricting an application with iptables though. ... but there's no way to use iptables to say "FreeSWAN may accept connections on port 9021 but not Transmission"
yes that is other way than blocking application, that that i have seen was blocking by username with what the program runs, i do not know exactly :
http://danieldegraaf.afraid.org/info/iptables/outfilter :
Code:
#!/usr/bin/env iptables-restore
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:loga - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 80 -j loga
-A loga -j ULOG
-A loga -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m owner --uid-owner www-data -j ULOG --ulog-prefix www
-A OUTPUT -m owner --uid-owner www-data -j DROP
-A OUTPUT -m owner --uid-owner root -j ACCEPT
-A OUTPUT -m owner --uid-owner daniel -j ACCEPT
-A OUTPUT -j ULOG --ulog-prefix egress
COMMIT
Bookmarks