On 2020-08-14, Alexey Mishustin <shum...@shumkar.ru> wrote: > Isn't this classic option suitable? > > groupadd noinet > usermod -a -G noinet <your_user> > iptables -A OUTPUT -i <some_interface> -m owner --gid-owner noinet -j DROP > and calling not > Plex > but > sg noinet Plex > (or whatever name the binary has)
Thanks for the suggestion! [For posterity's sake, with -A Output it's -o <interface> rather than -i <interface>] Yes, I think that should work. I had forgotten (or never knew?) that iptables rules could trigger on the uid or gid of the process that sent the packet. The Plex media server already runs in its own user/group -- something I should have mentioned in my original post, since it means that "from a user" instead of "from an application" would also work. My original post also said I was trying to hide an interface, when all I really needed was to prevent sending of packets on that interface. I think this should work, but I need to rebuild my kernel with the iptables "owner" extension enabled: iptables -A OUTPUT -o <interface> -m owner --uid-owner plex -j DROP I was just about to start experimenting with ipvlan and network namespaces, but an iptables rule triggering on uid looks much much easier. -- Grant