iptables redirect before filter
Hi all,
I'd like to set up an iptables configuration as follows:
- Allow all traffic by default
- For one user account (anonymous), block all traffic except:
- All traffic on lo
- All DNS requests, which should be redirected to 127.0.0.1
Here's what I tried:
# Redirect
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
# Filter
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner anonymous -j DROP
The problem with that setup is that DNS requests from uid anonymous are dropped by the filter before they are redirected to lo. Adding the following command makes it work:
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT
But this doesn't feel very clean. Is there a better way to achieve my aims? Especially, could I get the redirect to happen _before_ the filter examines the connection?
Thanks very much!
|