-m owner and INPUT chain
mark at renton.name
Fri Jun 1 09:22:02 CEST 2007
On Mon, May 28, 2007 at 04:14:45PM -0300, Fernando R. Durso wrote:
> Have you tried "iptables -D OUTPUT -o lo -m owner --uid-owner 500 -p all
> -j ACCEPT" ????
> I mean specifying the output interface as lo with -o lo ????
Sorry, I mistyped.
Of cause you need to use -A.
The problem with the input traff is still not solved. Do you have any
> Ernest Davnis escreveu:
> >I've got a problem which i can't solve with the help of Linux. The
> >problem is such:
> >there's a server with many shell accounts, i have to check what
> >incoming/outcoming traffic generate these users.
> >No problem with outgoing traff:
> >iptables -D OUTPUT -m owner --uid-owner 500 -p all -j ACCEPT
> >but it's said in man iptables:
> >This module attempts to match various characteristics of the
> >packet creator, for locally-generated packets.
> >It is only valid in the OUTPUT chain, and even this
> >some packets (such as ICMP ping responses) may have no
> >owner, and hence never match.
> >It means that I can't use owner module for INPUT chain
> >I've also found a patch:
> >but i can't make it work on linux kernel 2.6.20+, as there's a
> >difference in tcp.h, udp.h and etc or anything else that
> >I don't know.
> >Using FreeBSD to solve such a problem is the following:
> ># ipfw add ip from any to me in uid 500
> ># ipfw add ip from me to any out uid 500
> >Can I make smth similar on Linux?
BRGDS. Ernest Davnis.
More information about the netfilter