iptables redirect before filter
Hi all,
I'd like to set up an iptables configuration as follows: - Allow all traffic by default - For one user account (anonymous), block all traffic except: - All traffic on lo - All DNS requests, which should be redirected to 127.0.0.1 Here's what I tried: # Redirect iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53 # Filter iptables -P OUTPUT ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -m owner --uid-owner anonymous -j DROP The problem with that setup is that DNS requests from uid anonymous are dropped by the filter before they are redirected to lo. Adding the following command makes it work: iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT But this doesn't feel very clean. Is there a better way to achieve my aims? Especially, could I get the redirect to happen _before_ the filter examines the connection? Thanks very much! |
No, I think that's the way it works and you're doing everything correctly.
http://www.linuxhomenetworking.com/w...t_Flow_Diagram |
You should use the "nat" table to do the redirect, and remember DNS over TCP:
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous --dport 53 -j REDIRECT --to-ports 53 iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous --dport 53 -j REDIRECT --to-ports 53 |
I was indeed using the nat table for the redirect - I accidentally left out the -t nat.
It's odd that the diagram posted by bakdong seems to indicate that packets hit the nat table before the filter table, while my packets were dropped by the filter table before being redirected. Thanks for your help! |
All times are GMT -5. The time now is 06:47 PM. |