Linux networking "jail" for a single process
Posted
by halp
on Server Fault
See other posts from Server Fault
or by halp
Published on 2010-06-17T13:07:17Z
Indexed on
2010/06/17
13:13 UTC
Read the original article
Hit count: 584
linux
|networking
I need to tune up a networking app for network specific things like:
- make it use a DNS server different than the default one from /etc/resolv.conf
- make sure it does not try to connect to certain hosts/ports using tcp/udp connections
I know I can get away with just modifying /etc/resolv.conf and writing some iptables rules, but going for a default DENY firewall policy for outgoing IP packets can trigger malfunctions in other services running on the server.
I know I can set up a virtual machine with a whole OS and run my app there, but it seems a bit overkill.
Is it possible to have a networking "jail" for a single app (think single Linux process) that could accept iptables-like rules for network traffic (think in terms of IP packets and above) allowed to and from this particular app? Maybe this is achievable through some dynamically loaded library that can deal with the networking layer, the same manner tsocks does, but more fine-grained?
© Server Fault or respective owner