Brian Henning wrote: > iptables doesn't have per-user ability, does it? I thought it only > examined packet headers, which I didn't think had any info about local > user in them..
iptables has access to any information the kernel has about the packet, and can indeed route packets based on user id. For example, to set up a transparent proxy, I've got the following rule: $ sudo /sbin/iptables -t nat -L ... Chain OUTPUT (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere ! OWNER UID match proxy tcp dpt:www redir ports 3128 Which redirects port 80 to port 3128 for all packets except packets generated by the proxy user. > I can't access a shell from that account (which is sensible) You should be able to with e.g. sudo su smmsp -s /bin/bash -- Dan > I can, however, telnet to strutmasters.net:25 from a > standard unprivileged account. cool, does this work? another thing you can do is fire up your favorite packet sniffer and see what's going out on the wire. -- Dan -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
