I spent a lot of time trying to implement outbound traffic filtering with: cgroups + tc + iptables on Debian Jessie. Unfortunately there is still something wrong. The biggest issue is: - cgroups install + config - net_cls subsystem implementation - packets marking with net_cls - appropriate (tc) traffic control konfiguration. - iptables OUTBOUND rules is already done. Briefly, network access only for marked (with net_cls) packets, next assigned to (created by tc) class and at least iptables roule like: -A OUTPUT -m cgroup --cgroup 3 -j ACCEPT I would appreciate any proffesional support. Mark.