Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-09-2010, 06:44 AM   #1
LQ Newbie
Registered: Apr 2010
Posts: 3

Rep: Reputation: 0
iptables redirect before filter

Hi all,

I'd like to set up an iptables configuration as follows:

- Allow all traffic by default
- For one user account (anonymous), block all traffic except:
- All traffic on lo
- All DNS requests, which should be redirected to

Here's what I tried:

# Redirect
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53

# Filter
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner anonymous -j DROP

The problem with that setup is that DNS requests from uid anonymous are dropped by the filter before they are redirected to lo. Adding the following command makes it work:

iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j ACCEPT

But this doesn't feel very clean. Is there a better way to achieve my aims? Especially, could I get the redirect to happen _before_ the filter examines the connection?

Thanks very much!
Old 04-09-2010, 11:28 PM   #2
Registered: Apr 2009
Posts: 214

Rep: Reputation: 44
No, I think that's the way it works and you're doing everything correctly.
Old 04-10-2010, 06:59 AM   #3
Registered: Mar 2009
Posts: 249

Rep: Reputation: 27
You should use the "nat" table to do the redirect, and remember DNS over TCP:
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonymous --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner anonymous --dport 53 -j REDIRECT --to-ports 53
Old 04-11-2010, 08:49 AM   #4
LQ Newbie
Registered: Apr 2010
Posts: 3

Original Poster
Rep: Reputation: 0
I was indeed using the nat table for the redirect - I accidentally left out the -t nat.

It's odd that the diagram posted by bakdong seems to indicate that packets hit the nat table before the filter table, while my packets were dropped by the filter table before being redirected.

Thanks for your help!



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables filter s not anything Ygrex Linux - Networking 1 02-27-2008 01:31 PM
iptables v1.3.8: can't initialize iptables table `filter' sebastien.lorandel Linux - Networking 11 09-22-2007 06:34 AM
How to filter this packet using iptables? montyleesam Linux - Security 1 05-12-2007 12:22 PM
Packet Filter to redirect a packet to a user level process akawale Linux - Networking 3 09-01-2006 12:06 PM
iptables + IP + MAC filter varun_saa Mandriva 1 04-30-2005 06:16 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:52 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration