On Sat, 16 May 2009 22:13:14 -0600 Jim McClanahan <jimmy...@copper.net> wrote:
> Rather than to just DNATing all un-REDIRECTed traffic of tornet_user to > local host, I wonder whether it would be safer to direct udp & tcp > traffic to a particular port where you explicitly DROP (or REJECT) it. Yes, I think it will be a better solution. > Something along the lines of: > > DROPDEAD=12345 > $IPTABLES -t nat -A OUTPUT -p tcp -m owner --uid-owner tornet_user \ > -j REDIRECT --to-port $DROPDEAD > $IPTABLES -t nat -A OUTPUT -p udp -m owner --uid-owner tornet_user \ > -j REDIRECT --to-port $DROPDEAD > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner tornet_user \ > -j REDIRECT > > $IPTABLES -A INPUT -p tcp --dport $DROPDEAD -j DROP > $IPTABLES -A INPUT -p udp --dport $DROPDEAD -j DROP > > (BTW, DNATing to localhost for a locally generated packet is the same as > REDIRECT.) > Also, it looks to me like the following rule is not needed, as any > packets that would match have already been RETURNed. > $IPTABLES -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT I use privoxy as first choice for traffic and without this rule something working wrong.