2

I'm trying to find pid of a socket using iptables OUTPUT chain log, or even better adding it into the log.

My current iptable rule:

sudo iptables -A OUTPUT -j LOG --log-prefix='[PID]' --log-level 7 --log-uid

I'm a bit frustrated since I know that iptables' owner module can filter items by pid (using -m owner --owner-pid flag) which means that the info is there, but I can't log it.

I know that it impossible to do with INPUT chain since iptables is a kernel process, but for OUTPUT chain it should be possible.

any idea? or even of how to cross some log data in order to get PID of OUTPUT chain connections?

Improve this question
1

1 Answer 1

Reset to default
0

So, there currently is no way for IPtables to filter packets based on PID. But you can do it based on UID or GID:

owner match options: [!] --uid-owner userid[-userid] Match local UID [!] --gid-owner groupid[-groupid] Match local GID [!] --socket-exists Match if socket exists --suppl-groups Also match supplementary groups set with --gid-owner

You could add a new user and then run the application as the newly created user:

sudo -u user application

If you have existing users, for example, postfix, that already have user accounts, you could do this:

First, find the user's UID:

[root@mail ~]# cat /etc/passwd | grep postfix postfix:x:89:89::/var/spool/postfix:/sbin/nologin

Second, add this iptables rule. Pay attention to where you want it in your OUTPUT chain:

/usr/sbin/iptables -A OUTPUT -m owner --uid-owner 89 -j LOG --log-prefix "POSTFIX: "

And then all packets from user postfix will be logged.

Improve this answer
3
  • looks like the --cmd-owner option was removed in kernel >= 2.6.15. (unfix-able) Commented Feb 12, 2022 at 16:55
  • Yes, you are right. I just edited the post. Commented Feb 12, 2022 at 21:57
  • Thank you again Cameron, but still this is not what I was looking for. Commented Feb 13, 2022 at 9:59

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.