LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page iptables redirect before filter
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-09-2010, 06:44 AM   #1
barterdom
LQ Newbie
 
Registered: Apr 2010
Posts: 3

Rep: Reputation: 0
iptables redirect before filter

Hi all,

I'd like to set up an iptables configuration as follows:

- Allow all traffic by default
- For one user account (anonymous), block all traffic except:
- All traffic on lo
- All DNS requests, which should be redirected to 127.0.0.1

Here's what I tried:

# Redirect
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53

# Filter
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner anonymous -j DROP

The problem with that setup is that DNS requests from uid anonymous are dropped by the filter before they are redirected to lo. Adding the following command makes it work:

iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT

But this doesn't feel very clean. Is there a better way to achieve my aims? Especially, could I get the redirect to happen _before_ the filter examines the connection?

Thanks very much!
 
Old 04-09-2010, 11:28 PM   #2
bakdong
Member
 
Registered: Apr 2009
Posts: 214

Rep: Reputation: 44
No, I think that's the way it works and you're doing everything correctly.

http://www.linuxhomenetworking.com/w...t_Flow_Diagram
 
Old 04-10-2010, 06:59 AM   #3
TimothyEBaldwin
Member
 
Registered: Mar 2009
Posts: 249

Rep: Reputation: 27
You should use the "nat" table to do the redirect, and remember DNS over TCP:
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous --dport 53 -j REDIRECT --to-ports 53
 
Old 04-11-2010, 08:49 AM   #4
barterdom
LQ Newbie
 
Registered: Apr 2010
Posts: 3

Original Poster
Rep: Reputation: 0
I was indeed using the nat table for the redirect - I accidentally left out the -t nat.

It's odd that the diagram posted by bakdong seems to indicate that packets hit the nat table before the filter table, while my packets were dropped by the filter table before being redirected.

Thanks for your help!
 
  


Reply

Tags
iptables



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables filter s not anything Ygrex Linux - Networking 1 02-27-2008 01:31 PM
iptables v1.3.8: can't initialize iptables table `filter' sebastien.lorandel Linux - Networking 11 09-22-2007 06:34 AM
How to filter this packet using iptables? montyleesam Linux - Security 1 05-12-2007 12:22 PM
Packet Filter to redirect a packet to a user level process akawale Linux - Networking 3 09-01-2006 12:06 PM
iptables + IP + MAC filter varun_saa Mandriva 1 04-30-2005 06:16 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:42 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration