iptables question (was Re: Squid question)

Tim Wunder tim
Mon May 17 11:57:22 PDT 2004 

On Thursday 25 December 2003 2:30 pm, someone claiming to be David A. Bandel 
wrote:
> On Thu, 25 Dec 2003 11:03:27 -0500
>
> Tim Wunder <tim at thewunders.org> wrote:
> > On Wednesday 24 December 2003 3:09 pm, someone claiming to be David A.
> >
> > Bandel wrote:
> > > On Wed, 24 Dec 2003 12:31:44 -0500
> > > Tim Wunder <tim at thewunders.org> wrote:
> > >
> > > Tim, let's back up.
> >
> > <snip>
> >
> > > well, there's a match -m called owner.  So we need to see who's
> > > running squid:  root or squid?  If squid, life becomes easier.  Also
> > > , the only chain we can use -m owner --uid-owner xxx is the OUTPUT
> > > chain.
> > >
> > > So:
> > > iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner ! 101 -p tcp
> > > --dport 80 -j REDIRECT --to-ports 3128
> > > (in the above rule I assumed the UIDfor squid was 101)
> >
> > When I tried a variation of this, with --uid-owner !23, I got an
> > error:
> > # iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner !23 -p tcp
> > # --dport 80
> > -j REDIRECT --to-ports 3128
>
> please notice the difference between mine and yours.  you need a space
> around the !
>
> > iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner startx -p tcp
> > --dport 80 -j REDIRECT --to-ports 3128
> > iptables v1.2.8: Bad OWNER UID value `startx'
> > Try `iptables -h' or 'iptables --help' for more information.
> >
> > Note that the '!23' I entered was converted to 'startx'. It looks like
> > -m
>
> try again with the space like I showed you.
>
> 
# iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner ! 23 -p tcp --dport 
80 -j REDIRECT --to-ports 3128
iptables v1.2.8: Bad OWNER UID value `!'
Try `iptables -h' or 'iptables --help' for more information.

You sure that's s'posed to work? The man page seemed to indicate only certain 
MATCH settings allowed the '!', and it seemed to specify which ones. 
Under the MATCH section in the man pages:
<quote>
The  following  are included in the base package, and most of these can be 
preceded by a !  to invert the sense of the match.
</quote>

For instance, 
<quote>
esp
       This module matches the SPIs in ESP header of IPSec packets.
       --espspi [!] spi[:spi]
</quote>
Note the [!]

<quote>
owner
       This  module  attempts  to  match various characteristics of the packet
       creator, for locally-generated packets.  It is only valid in the OUTPUT
       chain,  and  even  this  some packets (such as ICMP ping responses) may
       have no owner, and hence never match.

       --uid-owner userid
              Matches if the packet was created by a process  with  the  given
              effective user id.

       --gid-owner groupid
              Matches  if  the  packet was created by a process with the given
              effective group id.
</quote>
Note the lack of a [!]

I'll gladly admit that I'm wrong, but it doesn't appear that I am.
Regardless, I like specifying the uid's/gid's that get automatically forwarded 
more than specifying which don't, even if it's determined that I can.

Regards,
Tim

-- 
Fedora Core 1, Kernel 2.4.22-1.2129.nptl,  KDE 3.1.4, Xfree86 4.3.0
 18:55:00  up 16 days, 21:44,  0 users,  load average: 0.00, 0.00, 0.00
It's what you learn after you know it all that counts

More information about the Linux-users mailing list