* Bug in owner module @ 2013-12-15 13:57 ZenSecurity 2013-12-15 16:38 ` Phil Oester 0 siblings, 1 reply; 3+ messages in thread From: ZenSecurity @ 2013-12-15 13:57 UTC (permalink / raw) To: netfilter Hi, i have some issue with module (owner) in iptables v1.4.14 (debian wheezy 7.2.0) Current rule fails: iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --gid-owner usergroup -j DNAT --to-destination x.x.x.x:80; I tried to use numeric gid, it failed too.. But this rule works fine: iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --uid-owner user -j DNAT --to-destination x.x.x.x:80; Is it possible to fix this bug ? Thanks! ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Bug in owner module 2013-12-15 13:57 Bug in owner module ZenSecurity @ 2013-12-15 16:38 ` Phil Oester [not found] ` <52ADE190.8010405@zensecurity.su> 0 siblings, 1 reply; 3+ messages in thread From: Phil Oester @ 2013-12-15 16:38 UTC (permalink / raw) To: ZenSecurity; +Cc: netfilter On Sun, Dec 15, 2013 at 04:57:08PM +0300, ZenSecurity wrote: > Hi, i have some issue with module (owner) in iptables v1.4.14 (debian > wheezy 7.2.0) what kernel version? > Current rule fails: > > iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --gid-owner > usergroup -j DNAT --to-destination x.x.x.x:80; > > I tried to use numeric gid, it failed too.. Fails how?? Can't add the rule? Doesn't match? More details please. Phil ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <52ADE190.8010405@zensecurity.su>]
* Re: Bug in owner module [not found] ` <52ADE190.8010405@zensecurity.su> @ 2013-12-18 21:15 ` Phil Oester 0 siblings, 0 replies; 3+ messages in thread From: Phil Oester @ 2013-12-18 21:15 UTC (permalink / raw) To: ZenSecurity; +Cc: netfilter On Sun, Dec 15, 2013 at 08:06:24PM +0300, ZenSecurity wrote: > Kernel version: Linux lab 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 > GNU/Linux > > # iptables -t nat -L > DNAT tcp -- domain.com anywhere owner GID match > usergroup to: X.X.X.X:80 > > Rule: > iptables -t nat -A OUTPUT -o eth0 -p tcp -s X.X.X.X -m owner --gid-owner > usergroup -j DNAT --to-destination X.X.X.X:80; > > Doesn't match (usergroup exist). Works fine here, on kernel.org kernel. [root@f20_main ~]# uname -r 3.13.0-rc1+ [root@f20_main ~]# iptables -t nat -A OUTPUT -m owner --gid-owner 1000 [root@f20_main ~]# su - phil [phil@f20_main ~]$ id uid=1000(phil) gid=1000(phil) groups=1000(phil) [phil@f20_main ~]$ ping -c1 10.10.10.1 PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data. 64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=1.02 ms --- 10.10.10.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.022/1.022/1.022/0.000 ms [phil@f20_main ~]$ logout [root@f20_main ~]# iptables -t nat -nvL OUTPUT Chain OUTPUT (policy ACCEPT 1 packets, 84 bytes) pkts bytes target prot opt in out source destination 1 84 all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1000 I suggest filing a bug with Debian bugzilla if you suspect a problem in a Debian kernel. Phil ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-12-18 21:15 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-15 13:57 Bug in owner module ZenSecurity
2013-12-15 16:38 ` Phil Oester
[not found] ` <52ADE190.8010405@zensecurity.su>
2013-12-18 21:15 ` Phil Oester
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.