Linux networking "jail" for a single process

Posted by halp on Server Fault See other posts from Server Fault or by halp
Published on 2010-06-17T13:07:17Z Indexed on 2010/06/17 13:13 UTC
Read the original article Hit count: 584

Filed under:
|

I need to tune up a networking app for network specific things like:

  • make it use a DNS server different than the default one from /etc/resolv.conf
  • make sure it does not try to connect to certain hosts/ports using tcp/udp connections

I know I can get away with just modifying /etc/resolv.conf and writing some iptables rules, but going for a default DENY firewall policy for outgoing IP packets can trigger malfunctions in other services running on the server.

I know I can set up a virtual machine with a whole OS and run my app there, but it seems a bit overkill.

Is it possible to have a networking "jail" for a single app (think single Linux process) that could accept iptables-like rules for network traffic (think in terms of IP packets and above) allowed to and from this particular app? Maybe this is achievable through some dynamically loaded library that can deal with the networking layer, the same manner tsocks does, but more fine-grained?

© Server Fault or respective owner

Related posts about linux

Related posts about networking