RE: per user IP adresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Joel,

Your LAN construction is exactly what I want, but I want that 1 of the 4
IPs can only bind to the 4th IP, but when I try any of your rules I get
errors :(

(And yes, I changed the real IP in 123.123.123.123 in here ;-))

jimbo:/var/www# iptables -A OUTPUT -p tcp -s 123.123.123.123/32 -m owner
! --uid-owner 1000 -j REJECT --reject-with tcp-reset
iptables: Invalid argument

jimbo:/var/www# iptables -A OUTPUT -p tcp --dport 6667 -m owner !
--uid-owner 1000 -j REJECT --reject-with tcp-reset
iptables: Invalid argument

jimbo:/var/www# iptables -A OUTPUT -p tcp --dport 194 -m owner !
--uid-owner \ 1235 -j REJECT --reject-with tcp-reset
iptables: Invalid argument

So what could be wrong?

Thanks,

John

-----Oorspronkelijk bericht-----
Van: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] Namens Joel Newkirk
Verzonden: dinsdag 6 mei 2003 1:46
Aan: john@xxxxxxxxxxxx
CC: netfilter@xxxxxxxxxxxxxxxxxxx
Onderwerp: Re: per user IP adresses

On Sun, 2003-05-04 at 14:38, John Guntenaar wrote:

I missed the start of this thread, so I backed up and reread it. :^)

> Hello,
> 
> I have a linux machine with 4 IP addresses, I have a couple of friends
> on that machine and I don't allow them to use IRC, so I simply blocked
> the IRC ports, but I want to use IRC from the 4th IP without the other
> users being able to use it. I think I can reach that goal by using the
> owner match facility of iptables, though I can't find any good
examples
> with google, is it correct and can somebody post an example?
> 
> Thanks in advantage,
> 
> John

You need something constructed like this:

iptables -A OUTPUT -p tcp --dport 194 -m owner ! --uid-owner \ 1235 -j
REJECT --reject-with tcp-reset

or:

iptables -A OUTPUT -p tcp --dport 194 -m owner --uid-owner  \ 1235 -j
ACCEPT

I use a similar rule to prevent any user except root from being able to
connect to my LAN computers from my server.  You can add an additional
match to either rule to match outgoing interface or sourceIP if needed.
Is it really necessary to restrict IRC to only that single IP?
 
j
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux