Re: Allow Proxy connection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I use similar rules except:

<snip>

> iptables -A OUTPUT -o eth0 -p tcp --dport 80:90 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT  -i eth0 -p tcp --sport 80:90 -m state --state
> ESTABLISHED     -j ACCEPT
> 
Then of course there's also port 8080 for tomcat and 443 for SSL with
similar rules.

Since you are using state matching, only established connections are
allowed back in.

> But this works only if the webserver in the internet is running on port
> 80. So i tried to use the -m owner --uid-owner option to match all
> packets from the proxy user. The i had to accept all ESTABLISHED packets
> in the INPUT chain, because the owner match works only in OUTPUT chain.
> 
> What i did now is the following:
> 
> iptables -A OUTPUT -o eth0 -p tcp -m owner --uid-owner proxy -m state
> --state NEW -j CONNARK --set-mark 1
> iptables -A OUTPUT -o eth0 -m connmark --mark 1 -j ACCEPT
> iptables -A INPUT  -i eth0 -m connmark --mark 1 -j ACCEPT
> 
> This seems to work, but what i wann know now:
>  - Is this solution secure?
>  - Anybody got a better solution?
> 
> Regards
> Sebastian.
-- 
--
Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux