Re: filtering by user
Leonardo Boselli a écrit :
On Mon, 1 May 2006, Pascal Hambourg wrote:
I wish that a number of users (that can be made member or not member of a
certain group) would use always i.j.n.m address to connect to outside
I don't think this is a good idea because IP addresses are intended to
be network-related, not user-related. Instead you may use the 'owner'
match to match locally generated packets against a user id or group id.
I agree with your opinion, hovewer sticking a group of users to a specific
address would allow administrators to filter on the _other_ end of the
link, accepting or refusing he connenction based on the source address (I
So you want to do packet filtering on a different machine. I haven't
investigated but wouldn't be surprised if using source addresse to that
purpose had some flaws or side effects. I hope you know what you're doing.
Anyway you can use the 'owner' match to perform source NAT on the source
iptables -t nat -A POSTROUTING -m owner --uid-owner 1234 \
-j SNAT --to-source 220.127.116.11
The best place to select the source address would be the routing
decision, so I thought about marking the packets with the MARK target in
the OUTPUT chain according to the 'owner' match and direct them to
alternate routing tables with 'ip rule', but it would be too late : the
source address is selected in the first routing decision which takes
place before the OUTPUT chain.