Index of /~baro/sw/var/netfilter |
Name Last modified Size Description
Parent Directory 08-Nov-2006 16:00 - 2.4.33.3.--log-uid.patch 10-Oct-2006 16:33 2k
Enable "iptables -j LOG --log-uid" on 2.4 kernel (not supported by default, 2.4 is in maintenance-only mode). cd /path/to/linux-2.4.33.3 patch -p2 < /path/to/2.4.33.3.--log-uid.patch Usage example: -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m udp -p udp --dport 53 -s $MYIP -d $MYDNS -j ACCEPT -A OUTPUT -m owner --uid-owner root -j ACCEPT -A OUTPUT -m tcp -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT -A OUTPUT -m limit --limit 5/minute --limit-burst 60 -j LOG --log-level warn --log-prefix "iptables: outdrop: " --log-uid -A OUTPUT -j DROP Note: --log-uid cannot work on INPUT chain, sockets for incoming packets are not owned by users --log-uid on OUTPUT reports 0 for icmp (setuid) and some packets directly handled by kernel (e.g. tcp RST, icmp echo-reply, ...)