Hello, Richard Horton a écrit : > On 1 March 2010 09:33, Lentes, Bernd <bernd.lentes@xxxxxxxxxxxxxxxxxxxxx> wrote: >> >> I'd like to use the owner module to limit access to somes hosts just >> for some users. But it doesn't work. >> My rule is: >> iptables -I OUTPUT -d 0.0.0.0/0 -m owner --uid-owner 1000 -j REJECT >> This is a very wide rule, just for testing purpose. > > Do pings still work? Probably, as ping runs with suid root. Better try with something like telnet or netcat (nc). >> But uid 1000 is still able e.g. to send emails from the shell using mail. > > If you have an MTA locally its probably not going out of the box as > the uid of the process which called mail but as the uid of the MTA... I agree. >> I googeled already a lot, and found people saying the owner-module was >> canceled in Kernel 2.6.14, others saying that it still works in kernel >> 2.6.18. Some say it does not work with a SMP host. But i have the >> default kernel and only one CPU. AFAIK, only the --pid-owner, --sid-owner and --cmd-owner options are broken on SMP and were removed in kernel 2.6.14. The 'owner' match, --uid-owner and gid-owner options are still present and work. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
