I spent a lot of time trying to implement outbound traffic filtering with: cgroups + tc + iptables on Debian Jessie. Unfortunately there is still something wrong.
The biggest issue is:
- cgroups install + config
- net_cls subsystem implementation
- packets marking with net_cls
- appropriate (tc) traffic control konfiguration.
- iptables OUTBOUND rules is already done.
Briefly, network access only for marked (with net_cls) packets, next assigned to (created by tc) class and at least iptables roule like:
-A OUTPUT -m cgroup --cgroup 3 -j ACCEPT
I would appreciate any professional support.
Mark. 