[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Iptables configuration for a transparent proxy for a singleuser



On Sat, 16 May 2009 22:13:14 -0600
Jim McClanahan <jimmymac@xxxxxxxxxx> wrote:


> Rather than to just DNATing all un-REDIRECTed traffic of tornet_user to
> local host, I wonder whether it would be safer to direct udp & tcp
> traffic to a particular port where you explicitly DROP (or REJECT) it. 

Yes, I think it will be a better solution.

> Something along the lines of:
> 
> DROPDEAD=12345
> $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user \
>    -j REDIRECT --to-port $DROPDEAD
> $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user \
>    -j REDIRECT --to-port $DROPDEAD
> $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user \
>    -j REDIRECT
> 
> $IPTABLES -A INPUT -p tcp --dport $DROPDEAD -j DROP
> $IPTABLES -A INPUT -p udp --dport $DROPDEAD -j DROP
> 
> (BTW, DNATing to localhost for a locally generated packet is the same as
> REDIRECT.)
 
> Also, it looks to me like the following rule is not needed, as any
> packets that would match have already been RETURNed.
> $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT

I use privoxy as first choice for traffic and without this rule something working wrong.