create iptables rule per process/service

Question

is it possible to use iptables in order to permit traffic initiated by a \"process\", ie using the process name? I would like for example to allow everything that is initiated b

Answer 1

-m owner --pid-owner PID

See http://linuxpoison.blogspot.com/2010/11/how-to-limit-network-access-by-user.html and http://linux.die.net/man/8/iptables

Note that you need the ipt_owner module, as --pid-owner is not supported by xt_owner.

For example (this is just an approximation)

#!/bin/bash
$@ &
iptables -m owner --pid-owner %1 -j REJECT

In reality, though, you're better off using --uid-owner and --gid-owner. First, the --pid-owner criterion only matches the exact pid, meaning your program could easily spawn a child process which would not be blocked by this rule. (At least I haven't read otherwise.) Secondly, iptables(8) warns that --pid-owner is broken on SMP systems (which may or may not apply to you, but in either case limits portability). Third, there is a race condition in the script above, because the process is started before it is blocked. (If there is a way to get a process's pid before it starts, then I've never heard about it.)