Re: [SOLVED] Re: Transparent proxy - forwarding does not work

[Eduardo M KALINOWSKI <ekalin@gmail.com>]

Alex Samad wrote:
> On Tue, Jan 15, 2008 at 03:08:55PM -0200, Eduardo M KALINOWSKI wrote:
>   
> > Alex Samad wrote:
> >     
> > > On Tue, Jan 15, 2008 at 08:11:34AM -0200, Eduardo M KALINOWSKI wrote:
> > >   
> > >       
> > > > Alex Samad wrote:
> > > >     
> > > >         
> [snip]
>   
> > Well, this solution is far more complicated than what I wanted, so I took a 
> > look at iptables' manpage and discovered that matching can be done based on 
> > the UID that is running the process, so the idea is to let requests made by 
> > user 'proxy' through, and redirect all others to the proxy. This accounts 
> > to the two lines
> >
> > iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j 
> > ACCEPT
> > iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
> >     
> I think there is a caveat it only works on non smp boxes !
>   

Happens to be the case. ;-)

According to the iptables manpage, matching by uid and gid are fine 
(well, at least there is no mention that it is not fine), but there are 
problems for pid, sid and cmd-name for SMP. (And they require special 
kernel support, etc, etc.)

--
if (instr(buf,sys_errlist[errno]))  /* you don't see this */
		-- Larry Wall in eval.c from the perl source code

Eduardo M KALINOWSKI
ekalin@gmail.com
http://move.to/hpkb