阻止我关注的应用程序这,但像:
groupadd nonet
adduser $USER nonet
iptables -A OUTPUT -m owner --gid-owner nonet -j REJECT #put at /etc/rc.local
sudo -k iptables --list |grep nonet #to confirm
#REJECT all -- anywhere anywhere owner GID match nonet reject-with icmp-port-unreachable
测试(重启后):
sg nonet "ping www.google.com" #was blocked
sg nonet "google-chrome" #was able to connect, why?
sg nonet "links2" #was able to connect, why?
# showed all properly being on group nonet
ps --forest -A -o pid,ppid,user,group,cmd |egrep "links|chrome"
因此,它不适用于某些应用程序。
如何让防火墙规则(按组)适用于所有应用程序(使用时sg nonet
)?
PS:这里是ubuntu 16.04