Hi,
I'm trying to set up a shorewall firewall on a new NethServer (based on CentOS) and having an issue with routing packets based on a user. Eventually, after running out of all other ideas I finally ran an iptables capture. Once I did this, it was obvious why my rules weren't working. The UID field in all the traces show as 0:
Code:
Jul 2 13:05:23 NethServer kernel: TRACE: raw:OUTPUT:policy:2 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: mangle:OUTPUT:rule:2 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: mangle:tcout:return:10 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: nat:OUTPUT:policy:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: filter:OUTPUT:rule:2 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: filter:eth0_out:rule:3 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: filter:fw2net:return:6 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul 2 13:05:23 NethServer kernel: TRACE: nat:eth0_masq:rule:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
This was a simple "ping google.com" from a regular user that gives up this for id:
Code:
[plex@NetServer ~]$ id
uid=(506)plex gid=(507)plex groups=507(plex),502(locals) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Any ideas why UID is zero or how to fix this.
Cheers.