iptables redirect before filter
I'd like to set up an iptables configuration as follows:
- Allow all traffic by default
- For one user account (anonymous), block all traffic except:
- All traffic on lo
- All DNS requests, which should be redirected to 127.0.0.1
Here's what I tried:
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -P OUTPUT ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner anonymous -j DROP
The problem with that setup is that DNS requests from uid anonymous are dropped by the filter before they are redirected to lo. Adding the following command makes it work:
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT
But this doesn't feel very clean. Is there a better way to achieve my aims? Especially, could I get the redirect to happen _before_ the filter examines the connection?
Thanks very much!