notsobad/block-group.md

Last active December 22, 2021 09:25

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/notsobad/2a9fd08a6cffab7cdf70cc469811a84d.js"></script>
Save notsobad/2a9fd08a6cffab7cdf70cc469811a84d to your computer and use it in GitHub Desktop.

Raw

如何限制指定进程访问指定网络？

参考了https://unix.stackexchange.com/questions/68956/block-network-access-of-a-process ，其中netns是docker在用的方法，配置比较复杂，比较简单的方法是创建专门的group，在iptable增加针对group的限制。

# 新增一个组
groupadd no-lan

# 验证下组
sg no-lan id

# 阻止no-lan这个组对10.0.0.0/8的访问
iptables -I OUTPUT 1 -m owner --gid-owner no-lan -d 10.0.0.0/8 -j DROP

sg no-lan 'ping 10.0.0.1'
sg no-lan 'ping 114.114.114.114'
sg no-lan 'python your-script.py'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment