[SOLVED] iptables not setting UID for packet marking

MQMan · 07-02-2015, 07:16 PM

Hi,

I'm trying to set up a shorewall firewall on a new NethServer (based on CentOS) and having an issue with routing packets based on a user. Eventually, after running out of all other ideas I finally ran an iptables capture. Once I did this, it was obvious why my rules weren't working. The UID field in all the traces show as 0:

Code:

Jul  2 13:05:23 NethServer kernel: TRACE: raw:OUTPUT:policy:2 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: mangle:OUTPUT:rule:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: mangle:OUTPUT:rule:2 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: mangle:tcout:return:10 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: mangle:OUTPUT:policy:3 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: nat:OUTPUT:policy:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: filter:OUTPUT:rule:2 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: filter:eth0_out:rule:3 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: filter:fw2net:return:6 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507
Jul  2 13:05:23 NethServer kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: mangle:tcpost:return:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: mangle:POSTROUTING:policy:2 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507 
Jul  2 13:05:23 NethServer kernel: TRACE: nat:eth0_masq:rule:1 IN= OUT=eth0 SRC=192.168.0.12 DST=173.194.72.113 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=15977 SEQ=1 UID=0 GID=507

This was a simple "ping google.com" from a regular user that gives up this for id:

Code:

[plex@NetServer ~]$ id
uid=(506)plex gid=(507)plex groups=507(plex),502(locals) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Any ideas why UID is zero or how to fix this.

Cheers.

MQMan · 07-02-2015, 08:10 PM

Ha. Let me answer my own question here. I was running ping as the test, which I now find out is flagged as "setuid", so it effectively runs as root, hence UID=0. Guess I need to find another program to test with.

Cheers.