iptables --log-uid patch for 2.6

Patrick McHardy kaber at trash.net
Wed Dec 8 18:07:25 CET 2004


John Lange wrote:

>Thanks for response Patrick.
>
>One small note... 
>
>I believe there is a limitation to this approach that makes it tricky
>for blocking outbound packets. I hope you have a work-around.
>
>Specifically, there is no way to allow packets that have no UID set such
>as packets generated directly by the kernel.
>
>The following rules were designed to block users from (accidentally)
>installing spam relays on their web accounts (bad CGI scripts for
>example).
>
>I hope this example makes some sense:
>
>e.g.
>
># first allow root (this allows root, but NOT the kernel!)
>iptables -A OUTPUT -p ALL -m owner --uid-owner 0 -j ACCEPT
>
># allow anyone in the mail group
>iptables -A OUTPUT -p tcp -m owner --gid-owner 102 --dport 25 -j ACCEPT
>
>iptables -A OUTPUT -p tcp --dport 25 -j LOG --log-uid
>iptables -A OUTPUT -p tcp --dport 25 -j DROP
>
>----
>
>Packets generated directly by the kernel (like RST packets) have no UID
>set and therefore get blocked....
>  
>
I have a patch that lets you match "--owner" or "! --owner", this
should be enough. I'm going to merge it some time soon. You can
also use connection tracking, this should catch packets generated
by the kernel.

Regards
Patrick




More information about the netfilter-devel mailing list