1

I'm trying to find pid of a socket using iptables OUTPUT chain log, or even better adding it into the log.

My current iptable rule:

sudo iptables -A OUTPUT -j LOG --log-prefix='[PID]' --log-level 7 --log-uid

I'm a bit frustrated since I know that iptables' owner module can filter items by pid (using -m owner --owner-pid flag) which means that the info is there, but I can't log it.

I know that it impossible to do with INPUT chain since iptables is a kernel process, but for OUTPUT chain it should be possible.

any idea? or even of how to cross some log data in order to get PID of OUTPUT chain connections?

Or Yaacov
  • 73
  • 8
  • https://meta.stackexchange.com/questions/64068/is-cross-posting-a-question-on-multiple-stack-exchange-sites-permitted-if-the-qu ( https://unix.stackexchange.com/questions/688185/iptables-log-connection-pid-on-output-chain ) – A.B Jan 28 '22 at 18:20

1 Answers1

0

So, there currently is no way for IPtables to filter packets based on PID. But you can do it based on UID or GID:

owner match options:
[!] --uid-owner userid[-userid]      Match local UID
[!] --gid-owner groupid[-groupid]    Match local GID
[!] --socket-exists                  Match if socket exists
    --suppl-groups                   Also match supplementary groups set with --gid-owner

You could add a new user and then run the application as the newly created user:

sudo -u user application

If you have existing users, for example, postfix, that already have user accounts, you could do this:

First, find the user's UID:

[root@mail ~]# cat /etc/passwd | grep postfix
postfix:x:89:89::/var/spool/postfix:/sbin/nologin

Second, add this iptables rule. Pay attention to where you want it in your OUTPUT chain:

/usr/sbin/iptables -A OUTPUT -m owner --uid-owner 89 -j LOG --log-prefix "POSTFIX: "

And then all packets from user postfix will be logged.

Cameron
  • 176
  • 3