iptables question (was Re: Squid question)

Matthew Carpenter matt
Mon May 17 11:57:42 PDT 2004 

Two things:
 
1) Why are you all spinning your wheels on getting the firewall to work as a client when there doesn't seem much value forcing the firewall through its own proxy?  Test from another machine that goes THROUGH the firewall.  If you want to test from the firewall, make another system the proxy... that doesn't sound like a bad idea anyway...  

2) Does this work yet?  I haven't seen anything on this topic since Christmas a week ago.  I do remember going through this painful troubleshooting a year ago and it had to do with a setting in Squid.  There is a Port setting which either was 80 and needed to be 0 or was 0 and needed to be 80.  I believe it needed to be 80.  I'll look into it if this is still being worked on.

Matt

On Thu, 25 Dec 2003 19:25:18 -0500
Tim Wunder <tim at thewunders.org> wrote:

> On Thursday 25 December 2003 2:30 pm, someone claiming to be David A. Bandel 
> wrote:
> > On Thu, 25 Dec 2003 11:03:27 -0500
> >
> > Tim Wunder <tim at thewunders.org> wrote:
> > > On Wednesday 24 December 2003 3:09 pm, someone claiming to be David A.
> > >
> > > Bandel wrote:
> > > > On Wed, 24 Dec 2003 12:31:44 -0500
> > > > Tim Wunder <tim at thewunders.org> wrote:
> > > >
> > > > Tim, let's back up.
> > >
> > > <snip>
> > >
> > > > well, there's a match -m called owner.  So we need to see who's
> > > > running squid:  root or squid?  If squid, life becomes easier.  Also
> > > > , the only chain we can use -m owner --uid-owner xxx is the OUTPUT
> > > > chain.
> > > >
> > > > So:
> > > > iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner ! 101 -p tcp
> > > > --dport 80 -j REDIRECT --to-ports 3128
> > > > (in the above rule I assumed the UIDfor squid was 101)
> > >
> > > When I tried a variation of this, with --uid-owner !23, I got an
> > > error:
> > > # iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner !23 -p tcp
> > > # --dport 80
> > > -j REDIRECT --to-ports 3128
> >
> > please notice the difference between mine and yours.  you need a space
> > around the !
> >
> > > iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner startx -p tcp
> > > --dport 80 -j REDIRECT --to-ports 3128
> > > iptables v1.2.8: Bad OWNER UID value `startx'
> > > Try `iptables -h' or 'iptables --help' for more information.
> > >
> > > Note that the '!23' I entered was converted to 'startx'. It looks like
> > > -m
> >
> > try again with the space like I showed you.
> >
> > 
> # iptables -t nat -I OUTPUT -o eth0 -m owner --uid-owner ! 23 -p tcp --dport 
> 80 -j REDIRECT --to-ports 3128
> iptables v1.2.8: Bad OWNER UID value `!'
> Try `iptables -h' or 'iptables --help' for more information.
> 
> You sure that's s'posed to work? The man page seemed to indicate only certain 
> MATCH settings allowed the '!', and it seemed to specify which ones. 
> Under the MATCH section in the man pages:
> <quote>
> The  following  are included in the base package, and most of these can be 
> preceded by a !  to invert the sense of the match.
> </quote>
> 
> For instance, 
> <quote>
> esp
>        This module matches the SPIs in ESP header of IPSec packets.
>        --espspi [!] spi[:spi]
> </quote>
> Note the [!]
> 
> <quote>
> owner
>        This  module  attempts  to  match various characteristics of the packet
>        creator, for locally-generated packets.  It is only valid in the OUTPUT
>        chain,  and  even  this  some packets (such as ICMP ping responses) may
>        have no owner, and hence never match.
> 
>        --uid-owner userid
>               Matches if the packet was created by a process  with  the  given
>               effective user id.
> 
>        --gid-owner groupid
>               Matches  if  the  packet was created by a process with the given
>               effective group id.
> </quote>
> Note the lack of a [!]
> 
> I'll gladly admit that I'm wrong, but it doesn't appear that I am.
> Regardless, I like specifying the uid's/gid's that get automatically forwarded 
> more than specifying which don't, even if it's determined that I can.
> 
> Regards,
> Tim
> 
> -- 
> Fedora Core 1, Kernel 2.4.22-1.2129.nptl,  KDE 3.1.4, Xfree86 4.3.0
>  18:55:00  up 16 days, 21:44,  0 users,  load average: 0.00, 0.00, 0.00
> It's what you learn after you know it all that counts
> 
> _______________________________________________
> Linux-users mailing list
> Linux-users at smtp.linux-sxs.org
> Unsubscribe/Suspend/Etc -> http://smtp.linux-sxs.org/mailman/listinfo/linux-users
> 
> 


-- 
Matthew Carpenter 
matt at eisgr.com                          http://www.eisgr.com/

Enterprise Information Systems
* Network Server Appliances
* Network Consulting, Integration & Support
* Web Integration and E-Business

More information about the Linux-users mailing list