I use similar rules except: <snip> > iptables -A OUTPUT -o eth0 -p tcp --dport 80:90 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --sport 80:90 -m state --state > ESTABLISHED -j ACCEPT > Then of course there's also port 8080 for tomcat and 443 for SSL with similar rules. Since you are using state matching, only established connections are allowed back in. > But this works only if the webserver in the internet is running on port > 80. So i tried to use the -m owner --uid-owner option to match all > packets from the proxy user. The i had to accept all ESTABLISHED packets > in the INPUT chain, because the owner match works only in OUTPUT chain. > > What i did now is the following: > > iptables -A OUTPUT -o eth0 -p tcp -m owner --uid-owner proxy -m state > --state NEW -j CONNARK --set-mark 1 > iptables -A OUTPUT -o eth0 -m connmark --mark 1 -j ACCEPT > iptables -A INPUT -i eth0 -m connmark --mark 1 -j ACCEPT > > This seems to work, but what i wann know now: > - Is this solution secure? > - Anybody got a better solution? > > Regards > Sebastian. -- -- Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx> Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Attachment:
signature.asc
Description: This is a digitally signed message part