[plug] Restricting web access to specific users

[Matt Kemner]

On Wed, 28 May 2003, quoth Derek Fountain:

> > There *is* an owner match in at least the patch-o-matic for netfilter,

> Yeah, if you could point that out I'd be interested. I've just had a look in
> the pom and couldn't see anything like that.

It's in (recent versions of?)  the main iptables, and recent 2.4 kernels.
Netfilter config in the kernel has:
CONFIG_IP_NF_MATCH_OWNER "Owner match support (EXPERIMENTAL)"

and the iptables manpage has:
   owner
       This  module  attempts to match various characteristics of
       the packet creator, for locally-generated packets.  It  is
       only valid in the OUTPUT chain, and even this some packets
       (such as ICMP ping responses) may have no owner, and hence
       never match.

       --uid-owner userid
              Matches if the packet was created by a process with
              the given effective user id.


so for example you could do:
  iptables -A OUTPUT -m owner --uid-owner 1000 -j ACCEPT

to allow outgoing traffic created by the user with userid 1000

 - Matt