|
Index of /~baro/sw/var/netfilter
|
Name Last modified Size Description
![[DIR]](/icons/back.gif)
Parent Directory 08-Nov-2006 16:00 -
![[TXT]](/icons/text.gif)
2.4.33.3.--log-uid.patch 10-Oct-2006 16:33 2k
Enable "iptables -j LOG --log-uid" on 2.4 kernel (not supported by default, 2.4 is in maintenance-only mode).
cd /path/to/linux-2.4.33.3
patch -p2 < /path/to/2.4.33.3.--log-uid.patch
Usage example:
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m udp -p udp --dport 53 -s $MYIP -d $MYDNS -j ACCEPT
-A OUTPUT -m owner --uid-owner root -j ACCEPT
-A OUTPUT -m tcp -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j ACCEPT
-A OUTPUT -m limit --limit 5/minute --limit-burst 60 -j LOG --log-level warn --log-prefix "iptables: outdrop: " --log-uid
-A OUTPUT -j DROP
Note:
--log-uid cannot work on INPUT chain, sockets for incoming packets are not owned by users
--log-uid on OUTPUT reports 0 for icmp (setuid) and some packets directly handled by kernel (e.g. tcp RST, icmp echo-reply, ...)