blocking a site for others not for -m owner

blocking a site for others not for -m owner

[Askar Ali Khan]

Salam

Im trying own my home box (standalone) which is directly connected
with net via ppp0 (dialup). I got a three user accounts on this box
only for practice purpose.
Now im trying to block a site www.foo.com for users excluding user
"askar" with something like....

#iptables -A OUTPUT -p tcp --dport 80 -d www.foo.com -j DROP

       this works for all users however when I tries to exclude user
"askar" from this blocking with...

#iptables -A OUTPUT -p tcp --dport 80 -d www.kmmod.com -m owner
--uid-owner askar -j ACCEPT

              site is still block for user "askar", i also tried with
changing the other of the rules no working :), Howto exclude "askar" ?
my default chain polices ...

Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

Regards
Askar

Re: blocking a site for others not for -m owner

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1081 bytes --]

On Thu, Jul 08, 2004 at 09:56:37AM +0500, Askar Ali Khan wrote:
> Salam
> 
> Im trying own my home box (standalone) which is directly connected
> with net via ppp0 (dialup). I got a three user accounts on this box
> only for practice purpose.
> Now im trying to block a site www.foo.com for users excluding user
> "askar" with something like....
> 
> #iptables -A OUTPUT -p tcp --dport 80 -d www.foo.com -j DROP
> 
>        this works for all users however when I tries to exclude user
> "askar" from this blocking with...
> 
> #iptables -A OUTPUT -p tcp --dport 80 -d www.kmmod.com -m owner
> --uid-owner askar -j ACCEPT

-A means to append to the end of the table, if you do it in the order
above it will not work

try -I for the second one

> 
>               site is still block for user "askar", i also tried with
> changing the other of the rules no working :), Howto exclude "askar" ?
> my default chain polices ...
> 
> Chain INPUT (policy ACCEPT)
> Chain FORWARD (policy ACCEPT)
> Chain OUTPUT (policy ACCEPT)
> 
> Regards
> Askar
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: blocking a site for others not for -m owner

[Nick Taylor]

> Now im trying to block a site www.foo.com for users excluding user
> "askar" with something like....
>
> #iptables -A OUTPUT -p tcp --dport 80 -d www.foo.com -j DROP
>
>        this works for all users however when I tries to exclude user
> "askar" from this blocking with...
>
> #iptables -A OUTPUT -p tcp --dport 80 -d www.kmmod.com -m owner
> --uid-owner askar -j ACCEPT
>
>               site is still block for user "askar", i also tried with
> changing the other of the rules no working :), Howto exclude "askar" ?
>

Well, two things.  First, and I assume you know this, in your first
example, you list www.foo.com (216.234.246.149, and 216.234.246.150), and
in the second example you use www.kmmod.com (66.226.86.161).  Obviously,
if you want the second rule to contradict the first one, you have to use
the same destination address, but with the setup you give, it still won't
work.  When you use -A, you Append to the chain, meaning you place the new
rule at the bottom.  The first rule that terminates a chain is the only
one that matters, and a -j DROP is a terminating rule, so the kernel drops
the packet, and forgets about it before it thinks about reading the second
rule.  You have two choices, either enter a specific -j ACCEPT rule (like
the -m owner match) before the less specific -j DROP rule, or enter the -j
DROP rule with a -I to insert it at the top of the chain.

Hope this helps