NAT not for filtering - problem

All of lore.kernel.org
 help / color / mirror / Atom feed

From: tengaman@wolke7.net
To: netfilter@vger.kernel.org
Subject: NAT not for filtering - problem
Date: Tue, 17 Feb 2009 16:28:40 +0100	[thread overview]
Message-ID: <20090217152840.GA3683@localhost> (raw)

Hello,

recently my Debian system promted this message:
>The "nat" table is not intended for filtering, hence the use of DROP is
>deprecated and will permanently be disabled in the next iptables
>release. Please adjust your scripts.

What im doing in the nat-table is redirecting the traffic to the
tor-programm (www.torproject.org) listening on local port 9040 to form a transparent proxy.
Now, the DROP target makes sure that non-redirected and thus "non-anonymized" packages are
impossible.

To distinguish anonymized traffic from normal traffic I do have a
special user: 'tor-user' (-m -uid-owner tor-user).
The tor programm itself is run by the user 'debian-tor'.

The Problem:
--uid-owner debian-tor does not match the redirected traffic.
Meaning although the traffic is processed by a process owned by a
different user --uid-owner still maches the orignal user of the data.
My sytem seems to lack the --cmd-owner match, was this cut out?

I hope you have any idea.

Sebastian R.

next             reply	other threads:[~2009-02-17 15:28 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-17 15:28 tengaman [this message]
2009-02-17 23:27 ` NAT not for filtering - problem tengaman
2009-02-18  2:58   ` tengaman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090217152840.GA3683@localhost \
    --to=tengaman@wolke7.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.