From: Ray Leach <raymondl@knowledgefactory.co.za>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Subject: Re: Allow Proxy connection
Date: 18 Jun 2003 15:36:30 +0200 [thread overview]
Message-ID: <1055943389.2530.98.camel@raylinux.internal> (raw)
In-Reply-To: <000701c3359c$925ca020$0200a8c0@basti79>
[-- Attachment #1: Type: text/plain, Size: 1403 bytes --]
I use similar rules except:
<snip>
> iptables -A OUTPUT -o eth0 -p tcp --dport 80:90 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 80:90 -m state --state
> ESTABLISHED -j ACCEPT
>
Then of course there's also port 8080 for tomcat and 443 for SSL with
similar rules.
Since you are using state matching, only established connections are
allowed back in.
> But this works only if the webserver in the internet is running on port
> 80. So i tried to use the -m owner --uid-owner option to match all
> packets from the proxy user. The i had to accept all ESTABLISHED packets
> in the INPUT chain, because the owner match works only in OUTPUT chain.
>
> What i did now is the following:
>
> iptables -A OUTPUT -o eth0 -p tcp -m owner --uid-owner proxy -m state
> --state NEW -j CONNARK --set-mark 1
> iptables -A OUTPUT -o eth0 -m connmark --mark 1 -j ACCEPT
> iptables -A INPUT -i eth0 -m connmark --mark 1 -j ACCEPT
>
> This seems to work, but what i wann know now:
> - Is this solution secure?
> - Anybody got a better solution?
>
> Regards
> Sebastian.
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2003-06-18 13:36 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-18 13:21 Allow Proxy connection Sebastian
2003-06-18 13:36 ` Ray Leach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1055943389.2530.98.camel@raylinux.internal \
--to=raymondl@knowledgefactory.co.za \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox