Hi, I've been redirected to this list in the hope that someone here can find a solution to my problem. I'm trying to limit which network interfaces a given user can access. I have two network cards (eth0 and eth1), and I've set up all sorts of virtual interfaces (eth0:0, eth0:1, etc) to give the cards multiple IP addresses. Basically, I want a given user to be restricted to using a given virtual interface (e.g. eth0:3) for all of their network transactions. The behaviour that I'm seeing right now is that, when a user uses a program that listens to e.g. local port 12345, it's grabbing all of the traffic that comes into any of the virtual interfaces on port 12345. The netstat -tupan output for this program looks like: Proto: udp Recv-Q: 0 Send-Q: 0 Local Address: 0.0.0.0:12345 Foreign Address: 0.0.0.0:* State: [none listed] PID/Program name: [pid]/[progname] As a result, when the second user tries to use the same program that binds to the same port, one of the apps gets nothing since the other instance is grabbing them all. As a side note, the port that this program uses is hard-coded, and I can't modify it since it's in proprietary software land. I've looked at things like http://sourceforge.net/projects/jail/, which provides a jail-like toolkit for Linux, however as far as I can tell this version of Jail lacks the IP binding that is present in FreeBSD's version of Jail (which would be perfect for my needs). I've also seen the Linux VServer at http://linux-vserver.com/, however it requires a kernel patch, and I'm wary of anything that integrates that deep into the kernel (not to mention that upgrading with security patches and such would be come a lot more difficult if I'm using a modified kernel). Is there any way to only permit a user to access/bind to a given network interface or a given IP address using netfilter and iptables, or am I basically up the creek on this one? Thanks, -- -=Straxus=-
