In article <CAADeyWhP3MjsPc-MO7aeWzsxsq9pHiBPHO2iU3bo8i0ttJiLcw at mail.gmail.com>, Alexander Farber <alexander.farber at gmail.com> wrote: > Good morning > > With iptables in CentOS 5 and 6 Linux - how can you please > prevent processes running as "root", "apache" or "nobody" > from initiating outgoing connections? > > On CentOS 5 Linux I've tried putting these lines into /etc/sysconfig/iptables: > > -A OUTPUT -m owner --uid-owner root -j DROP > -A OUTPUT -m owner --uid-owner apache -j DROP > -A OUTPUT -m owner --uid-owner nobody -j DROP > > but unfortunately get the error: > > # sudo service iptables restart > iptables: Flushing firewall rules: [ OK ] > iptables: Setting chains to policy ACCEPT: filter [ OK ] > iptables: Unloading modules: [ OK ] > iptables: Applying firewall rules: iptables-restore v1.4.7: owner: Bad > value for "--uid-owner" option: "apache" > Error occurred at line: 27 > Try `iptables-restore -h' or 'iptables-restore --help' for more information. > [FAILED] Perhaps it doesn't do a username lookup and only understands numeric userids? Try: -A OUTPUT -m owner --uid-owner 0 -j DROP -A OUTPUT -m owner --uid-owner 48 -j DROP -A OUTPUT -m owner --uid-owner 99 -j DROP (I think those values are standard on CentOS) Bear in mind that preventing root connections would stop you doing any kind of updating using yum, unless you have a previous rule allowing http. Cheers Tony -- Tony Mountifield Work: tony at softins.co.uk - http://www.softins.co.uk Play: tony at mountifield.org - http://tony.mountifield.org