I need to tune up a networking app for network specific things like:
- make it use a DNS server different than the default one from /etc/resolv.conf
- make sure it does not try to connect to certain hosts/ports using tcp/udp connections
I know I can get away with just modifying /etc/resolv.conf and writing some iptables rules, but going for a default DENY firewall policy for outgoing IP packets can trigger malfunctions in other services running on the server.
I know I can set up a virtual machine with a whole OS and run my app there, but it seems a bit overkill.
Is it possible to have a networking "jail" for a single app (think single Linux process) that could accept iptables-like rules for network traffic (think in terms of IP packets and above) allowed to and from this particular app? Maybe this is achievable through some dynamically loaded library that can deal with the networking layer, the same manner tsocks does, but more fine-grained?
If you can run the app as a specific user, you can write some iptables rules with the
flag to match on that specific user.
Try using an OpenVZ container. It provides better isolation than a chroot, but with much less overhead than a virtual machine. The container can have its own filesystem, users, IP addresses and iptables rules. The overhead is minimal because the container does not run its own kernel.