# Iptables to block on application level

## satanskin

Could someone help me or tell me how to write an iptable rule to block an entire application from using the net? For example, if i were to want to block firefox completely from using the net at all (including local network as well) how could I do that? Please don't tell me to just block port 80 or any other ports. I'm trying to block on the application level. Thank you.

----------

## kamikaze04

You should have looked at google with "iptables block application" you would have found it in the first page for sure...

What you are looking for is using "iptables/netfilter"

Have fun

----------

## desultory

Like this:

```
iptables -I OUTPUT -m owner --cmd-owner firefox -j DROP
```

Note that according to the man page this is broken on SMP.

----------

## satanskin

now does the owner have to be specific name? I mean, how exactly would i find the "owner" name to use. For example, how do i know to use firefox, or mozilla, or mozilla-firefox, or deer park, etc.? Is there a way to find what comes across as the owner string?

----------

## slycordinator

 *satanskin wrote:*   

> now does the owner have to be specific name? I mean, how exactly would i find the "owner" name to use. For example, how do i know to use firefox, or mozilla, or mozilla-firefox, or deer park, etc.? Is there a way to find what comes across as the owner string?

 

A quick google search indicates it's the actual program name as in the name of the executable being run.

Like "deer park" would NOT be a correct one because even when you have "deer park" installed you don't have an executable named that.

----------

## satanskin

 *desultory wrote:*   

> Like this:
> 
> ```
> iptables -I OUTPUT -m owner --cmd-owner firefox -j DROP
> ```
> ...

 

That command gives me the following in return:

```
thor satanskin # iptables -I OUTPUT -m owner --cmd-owner firefox -j LOG

iptables: Invalid argument

thor satanskin # iptables -I OUTPUT -m owner --cmd-owner firefox -j DROP

iptables: Invalid argument

```

And I can't find anything on google so far about iptables and --cmd-owner

----------

## slycordinator

http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=iptables+%22--cmd-owner%22

----------

## desultory

It looks as though your kernel lacks owner match support, install one that includes it.

The option to enable in your kernel configuration is located under 'Networking --->' -> 'Networking Options --->' -> 'Network packet filtering (replaces ipchains)' -> 'IP: Netfilter Configuration' as 'Owner match support'.

----------

## satanskin

 *desultory wrote:*   

> It looks as though your kernel lacks owner match support, install one that includes it.
> 
> The option to enable in your kernel configuration is located under 'Networking --->' -> 'Networking Options --->' -> 'Network packet filtering (replaces ipchains)' -> 'IP: Netfilter Configuration' as 'Owner match support'.

 

It's builtin already.

EDIT: I'm pretty sure it is the --cmd-owner part that it is screwing up on.

----------

## jamapii

mani001 had a good idea, but it didn't seem to work, anyway...

https://forums.gentoo.org/viewtopic-t-417517-highlight-.html

----------

## satanskin

alright, i'm an idiot and I should have checked this earlier. But checking /var/log/messages shows this when trying to run that command:

```
Jan  4 22:44:05 thor ipt_owner: pid, sid and command matching not supported anymore   
```

So what's one suppose to do now!? This is a step in the wrong direction guys!

----------

## desultory

Take another step in the wrong direction: downgrade to a supporting kernel, or port the old support into a new kernel (just avoid using that kernel with SMP).

----------

