I used:

```bash
sudo addgroup no-internet
sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
```

to block `no-internet` Linux Mint 22.3 Cinnamon group Internet access, how can I still allow a given `localhost` port?
May 8, 2:12pm

To allow a specific localhost port (e.g., port 8080) for the no-internet group while still blocking all other internet access, you need to add an exception rule before the DROP rule in your iptables configuration.

Solution:

Run the following commands to allow traffic to a specific localhost port (replace 8080 with your desired port):

bash
# Allow localhost traffic on port 8080 for the no-internet group
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 8080 -m owner --gid-owner no-internet -j ACCEPT
sudo iptables -A OUTPUT -p udp -d 127.0.0.1 --dport 8080 -m owner --gid-owner no-internet -j ACCEPT

# Block all other internet access for the no-internet group
sudo iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP

Explanation:

  1. Allow Rule:

    • -p tcp or -p udp: Specifies the protocol (TCP or UDP).
    • -d 127.0.0.1: Destination is localhost.
    • --dport 8080: Destination port (replace 8080 with your port).
    • -m owner --gid-owner no-internet: Applies to the no-internet group.
    • -j ACCEPT: Allows the traffic.

  2. Block Rule:

    • The DROP rule remains in place for all other traffic.

Persist the Rules:

To ensure the rules persist after a reboot, save them:

bash
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Verify:

Check your rules with:

bash
sudo iptables -L OUTPUT -v -n

Notes:

  • If you want to allow all localhost traffic (all ports), use: 
    bash
    sudo iptables -A OUTPUT -d 127.0.0.1 -m owner --gid-owner no-internet -j ACCEPT
  • If you need to allow both IPv4 and IPv6, repeat the rules for ip6tables.
May 8, 2:12pm

This is a shared conversation and may include unverified content that doesn't reflect Mistral AI's views. Login to resume chatting.