iptables question (was Re: Squid question)
Tim Wunder
tim
Mon May 17 11:57:19 PDT 2004
On Wednesday 24 December 2003 3:09 pm, someone claiming to be David A. Bandel
wrote:
> On Wed, 24 Dec 2003 12:31:44 -0500
> Tim Wunder <tim at thewunders.org> wrote:
>
> Tim, let's back up.
>
Excellent idea...
> What you want:
> all local connections going out on port 80 to go first to squid on 3128
> which will then send it out port 80
>
Yes.
> problems:
> how will iptables (or any other software for that matter) distinguish
> between you going direct on port 80 and squid on port 80?
that's one of the things that's been buggin' me about this whole thing. But
nothing I've found on the 'net seemed to think that was a concern. I guess
their aren't a bunch of people that want to do what I'm trying to do...
> where does local connection originate? is there a difference between
> that and squid's traffic?
>
> once we know the answers to the above, we can write a rule to select
> packets to rewrite.
>
> assuming squid traffic goes out port 80 just like it does from your
> browser (which it does), we have no way to distinguish between the two.
> So we have one problem to overcome. Fortunately, we, squid, and
> iptables are all on the same host. So we need to identify outbound
> traffic on port 80 going out eth0 that isn't squid. How to do?
>
> well, there's a match -m called owner. So we need to see who's running
> squid: root or squid? If squid, life becomes easier. Also , the only
> chain we can use -m owner --uid-owner xxx is the OUTPUT chain.
>
squid runs as squid, not root.
> So:
> iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner ! 101 -p tcp
> --dport 80 -j REDIRECT --to-ports 3128
> (in the above rule I assumed the UIDfor squid was 101)
>
> note that this rule is fairly specific and so _must_ be the first rule
> (hence the -I) or very close to it.
>
> also, ensure you don't have any filter rules which might block the
> packets or otherwise terminate chain processing before reaching this
> rule.
>
> Use iptables -t nat -L -nv to look at the count (number of packet
> matches).
>
Thanks, this is making a lot more sense to me. I'll probly not get to try it
'til tomorrow, if then.
Thanks, and have a good Christmas (or whatever).
Tim
--
Fedora Core 1, Kernel 2.4.22-1.2129.nptl, KDE 3.1.4, Xfree86 4.3.0
20:10:01 up 15 days, 22:59, 1 user, load average: 0.37, 0.08, 0.03
It's what you learn after you know it all that counts
More information about the Linux-users
mailing list