Block Outgoing Network Access For a Single User Using Iptables

Iptables has a special module called owner (ipt_owner), which is attempts to match various characteristics of the packet creator, for locally generated packets. It is valid in the OUTPUT and POSTROUTING chains.

This is quite useful if you like to block a user within your Linux server to have network access then you can use owner module to match user and block all outgoing traffic for that user. For example, user oracle can connect to oracle database server (using ssh) but not allowed to all outgoing traffic. On other hand user, admin should allow to connect outside network to download updates from RHN or Oracle site. This is nifty module and I use extensively to restrict outgoing access to certain users.


iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j DROP


iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT


iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j REJECT


iptables -A OUTPUT -o ethX -m owner --uid-owner {USERNAME} -j ACCEPT


  • –uid-owner { USERNAME } : Matches if the packet was created by a process with the given effective USERNAME.
  • -A : Append rule to given table/chain
  • -I : Insert rule to head of table/chain

For example, my oracle user id is 1000 so I will append following rule:

/sbin/iptables -A OUTPUT -o eth0 -m owner --uid-owner 1000 -j DROP
service iptables save

Example: Block Apache User Making Outgoing Connections

Use the following iptables based configuration to block all outgoing connections made by Apache user. This blocks hackers downloading code into your server using wget or any other tools:

iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# create a new chain
iptables --new-chain chk_apache_user
# use new chain to process packets generated by apache
iptables -A OUTPUT -m owner --uid-owner apache -j chk_apache_user
# Allow 143 (IMAP) and 25 so that webmail works :)
iptables -A chk_apache_user -p tcp --syn -d --dport 143 -j RETURN
iptables -A chk_apache_user -p tcp --syn -d --dport 25  -j RETURN
# reject everything else and stop hackers downloading code into our server
iptables -A chk_apache_user -j REJECT

Add/modify above code to your existing firewall script. This module also support following options:

  • –gid-owner {groupid}: Matches if the packet was created by a process with the given effective group id.
  • –pid-owner {processed}: Matches if the packet was created by a process with the given process id.
  • –sid-owner {sessionid}: Matches if the packet was created by a process in the given session group.
  • –cmd-owner {name} : Matches if the packet was created by a process with the given command name.

Please note that that some packets (such as ICMP ping responses) may have no owner (or suid based program), and hence never match. Also for some options, you may need to recompile kernel. On Red Hat Enterprise Linux and Debian default kernel has support for owner module.

๐Ÿง Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

๐Ÿง 11 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
11 comments… add one
  • jason Apr 4, 2006 @ 22:16

    Ya very nice and useful. Just a quick note, if you are using RHEL firewall (GNOME Lokkit or system-config-securitylevel command), type following command shell promot:
    # iptables -I OUTPUT -o ethX -m owner –uid-owner oracle -j REJECT
    And save firwall:
    # /etc/init.d/iptables save



  • Ohmster Jan 1, 2008 @ 23:00

    This is a neat idea, but I use my Linux box as a router and would like to know how to deny and enable internet access for a single user on my network, the Linux box enables access by ip4v forwarding. I want to deny a particular LAN computer such as and then be able to restore it again. Can you show us how to do that please? I really need this one and iptables is very complicated to try and figure out. Thanks.

  • Raj Jan 2, 2008 @ 8:42


    Use iptables drop target to drop unwanted IP/ You can also use GUI firewall tool such as Firestarter Linux Firewall or Webbased tool such as webmin.

  • MT May 31, 2008 @ 14:09

    Instead of blocking the IP you can block the mac address of that user’s machine. Else if you allow a range, he might keep trying to change IPs to get access.

    iptables -A INPUT -m mac –mac-source xx:xx:xx:xx:xx:xx -j DROP

    Note in windows, you will see mac address as

    Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx

    you will have to use : instead of – , while dropping mac address using iptables

    You can use ipscan, to find the mac from any windows machine for your entire lan, just scan the network.

    In linux, you might use ethereal and tcpdump to gather the mac address of any other IP, not sure.

  • MT May 31, 2008 @ 14:38



    iptables -A INPUT -m mac รขโ‚ฌโ€œ-mac-source xx:xx:xx:xx:xx:xx -j DROP

  • sathyashankar Dec 30, 2008 @ 12:04

    How do I unblock outgoing network access to a user later point in time?
    is there a command that would remove the earlier added rule?

  • ๐Ÿง nixCraft Dec 30, 2008 @ 12:27

    Use following syntax to delete rule:

    iptables  --delete chain rule-specification
  • David Baron Oct 28, 2009 @ 20:45

    Just what the doctor ordered, but
    ~$ sudo iptables -A OUTPUT -o eth0 -m owner –uid-owner esti -j DROP
    iptables: No chain/target/match by that name.

    But there is:
    sudo iptables -S | grep OUTPUT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
    -A OUTPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
    -A OUTPUT -p icmp -m icmp –icmp-type 12 -j ACCEPT
    -A OUTPUT -j s1

    I would probably want the -I option but it needs to recognize the chain!

    Once it is accepted by iptables, where do I do it: rc.local? ifup (where guarddog configures its iptables rules)?

  • Alex Feb 28, 2010 @ 21:37

    David Baron, check your kernel
    Networking support ->
    Networking options ->
    Network packet filtering framework (Netfilter) ->
    Core Netfilter Configuration ->
    “owner” match support

  • Anthony Oct 1, 2014 @ 19:50


    Great Write up. Is there a way to do the reverse of this?

    I would like to filter incoming traffic by user UID instead of filtering via IP and then make sure its applied only to eth0 and port 22.

  • markpat Nov 9, 2014 @ 17:22

    Any way to enable –pid-owner or –cmd-owner on centos 6.6? Only have –uid-owner and –gid-owner enabled, but i need to filter by pid.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum