How to Limit network access by user / group using iptables - Owner Match

Iptables and netfilter is a Linux kernel 2.4+ iptables administration tool. netfilter and iptables provide a Linux kernel framework for stateful and stateless packet filtering, network and port addresss translation, and other IP packet manipulation. The framework is the successor to ipchains.iptables is built on top of netfilter, the packet alteration framework for Linux 2.4.x and 2.6.x. It is a major rewrite of its predecessor ipchains, and is used to control packet filtering, Network Address Translation (masquerading, portforwarding, transparent proxying), and special effects such as packet mangling.

Owner match:
The owner match extension is used to match packets based on the identity of the process that created them. The owner can be specified as the process ID either of the user who issued the command in question, that of the group, the process, the session, or that of the command itself. The owner match only works within the OUTPUT chain, for obvious reasons: This module attempts to match various characteristics of the packet creator, for locally-generated packets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may have no owner, and hence never match.

Continue Reading...