[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: filtering by user

Leonardo Boselli a écrit :
On Mon, 1 May 2006, Pascal Hambourg wrote:

I wish that a number of users (that can be made member or not member of a
certain group) would use always i.j.n.m address to connect to outside

I don't think this is a good idea because IP addresses are intended to be network-related, not user-related. Instead you may use the 'owner' match to match locally generated packets against a user id or group id.

I agree with your opinion, hovewer sticking a group of users to a specific
address would allow administrators to filter on the _other_ end of the
link, accepting or refusing he connenction based on the source address (I

So you want to do packet filtering on a different machine. I haven't investigated but wouldn't be surprised if using source addresse to that purpose had some flaws or side effects. I hope you know what you're doing.

Anyway you can use the 'owner' match to perform source NAT on the source host :

iptables -t nat -A POSTROUTING -m owner --uid-owner 1234 \
  -j SNAT --to-source

The best place to select the source address would be the routing decision, so I thought about marking the packets with the MARK target in the OUTPUT chain according to the 'owner' match and direct them to alternate routing tables with 'ip rule', but it would be too late : the source address is selected in the first routing decision which takes place before the OUTPUT chain.

Reply to: