Linux Sysadmins Get Parental Controls: iptables Grounds UserA's Curl Outings, But Lets Servers Keep Listening to Inbound Drama

Linux administrators can restrict a specific user's outbound network connections using iptables while allowing them to run services that listen on ports and respond to inbound connections. This can be achieved by adding a rule to the OUTPUT chain that matches the user and drops or rejects only traffic in the NEW conntrack state. To implement this, administrators need root privileges, conntrack support, and the user's UID. By adding rules to allow ESTABLISHED and RELATED traffic, as well as loopback connections, administrators can ensure that return traffic for existing inbound connections is not disrupted. The core rule, which rejects or drops user-owned NEW outbound connections, is minimally invasive and well-suited for service accounts where limiting egress without breaking inbound service behavior is necessary. This approach is particularly useful in environments where security and access control are critical, and can be implemented using iptables commands, such as sudo iptables -I OUTPUT 3 -m owner --uid-owner <UID_A> -m conntrack --ctstate NEW -j REJECT.