Forbid a given user to use a given range of port

Question

I would like to forbid a user account on linux to use a a given port. So far, without root privileges, a user can't use ports under 1024. Is there a way to limit a user to a given range of ports, let say [2100-2199] ?

This is related to [the oposite problem posed here](http://unix.stackexchange.com/q/10735/1925) and likely shares some of the same limits / half solutions. — Caleb, Jul 06 '11 at 13:49

score 1 · Answer 1 · answered Jul 06 '11 at 13:52

1

I don't know exactly how to configure this, but I think that selinux and grsecurity are able to control this through some ACL like system. Read up on those, particularly selinux, and maybe somebody that knows how to configure them can provide an more detailed pointer.

answered Jul 06 '11 at 13:52

Caleb

69,278
18
196
226

SELinux is the way you want to go with this. – bahamat Jul 06 '11 at 20:26

score 1 · Answer 2 · answered Jul 06 '11 at 14:26

1

From the Shorewall rules documentation iptables has the capability to match users or groups as long as they are on the same machine. You will need to setup the appropriate deny rule(s) for the port range. You may want to install Shorewall to manage your firewall.

answered Jul 06 '11 at 14:26

BillThor

8,887
22
27

Iptables doesn't work that way. When a packet is incoming it's not owned by any user (even if it's that user's process listening). Only outgoing packets have a user, and not all packets will be owned by who you think they should be. – bahamat Jul 06 '11 at 20:23

Forbid a given user to use a given range of port

2 Answers2