On 8/13/20 6:03 PM, Alexey Mishustin wrote:
Isn't this classic option suitable?
iptables -A OUTPUT -i <some_interface> -m owner --gid-owner noinet -j DROP
Ugh.
I'm sure that's a viable method to deal with the problem after the fact.
But I prefer to not have the problem in the first place. Thus no need
to deal with it after the fact.
I dislike Docker, but I do like the idea of containers or network
namespaces. As such, I think it should be relatively trivial to create
a network namespace that has what you need without too much effort. I'd
think that some judicious "unshare" / "nsenter" / "ip netns exec"
commands would suffice.
I run BIRD in multiple network namespaces (think virtual routers) for
things with a few commands and NO Docker, et al.
unshare --mount=/run/mountns/${NetNS} --net=/run/netns/${NetNS}
--uts=/run/utsns/${NetNS} /bin/hostname ${NetNS}
nsenter --mount=/run/mountns/${NetNS} --net=/run/netns/${NetNS}
--uts=/run/utsns/${NetNS} /bin/ip link set dev lo up
nsenter --mount=/run/mountns/${NetNS} --net=/run/netns/${NetNS}
--uts=/run/utsns/${NetNS} /usr/sbin/bird -P /var/run/bird.${NetNS}.pid
-s /var/run/bird.${NetNS}.ctl
You can replace /usr/bin/bird ... with whatever command you need to
start Plex.
Obviously you will need to add the network interface to connect from
your physical network to the network namespace and configure it
accordingly. But that's relatively trivial to do.
I find these types of network / mount / UTS namespaces, containers, to
be extremely lightweight and easy to do things in. I've created some
wrapper scripts to make it trivial to add / list / remove such
containers; mknns, lsnns, rmnns.
--
Grant. . . .
unix || die
