Skip to content

How to Use the iptables Owner Module

DodaTech Updated 2026-06-24 2 min read

The owner module matches packets based on the process that created them. This enables per-user firewall rules. This guide walks through the specific troubleshooting steps to diagnose and resolve owner module issues.

Before You Begin

Before you begin, be sure to have the following in place:

  • A Linux server with the relevant software installed
  • Access to the command line interface
  • Appropriate permissions (root or sudo)

Quick Fix

Wrong

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT (no user filtering)

Wrong: Allowing all users to access HTTP

iptables -A OUTPUT -m owner --uid-owner 1000 -p tcp --dport 80 -j ACCEPT

Right: Allowing only specific user (UID 1000) HTTP access

Output

Owner module rule added\nOnly UID 1000 can access HTTP outbound\nAll other users blocked

Prevention

To avoid future issues, follow these best practices:

  • Use --uid-owner to match packets by user ID of the creating process
  • Use --gid-owner to match packets by group ID
  • Use --pid-owner (less common) to match by process ID
  • The owner module works only in OUTPUT chain (locally generated packets)
  • Combine with other matches for granular per-user rules

DodaTech Tools

For further assistance with any of the above issues, consider using DodaTech consulting services or DodaTech tutorials for more in-depth guidance.

Common Mistakes with owner match

  1. Mixing let bindings with <- bindings in do notation, producing type errors
  2. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
  3. Non-exhaustive pattern matches that compile with warnings then crash at runtime

These mistakes appear frequently in real-world IPTABLES code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

Why does the owner module only work in the OUTPUT chain?|||The owner module checks the socket owner of locally generated packets. Forwarded packets have no socket owner, so the module does not apply to FORWARD or INPUT chains.
Can I block internet access for a specific Linux user? Yes. Add iptables -A OUTPUT -m owner --uid-owner username -j DROP to block all outbound traffic for that user.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro