Brad Fitzpatrick (brad) wrote,
Brad Fitzpatrick
brad

netfilter

I want to run a memcached process on a shared server (goathack), listening on 127.0.0.1:11211, but memcached doesn't have any sort of authentication (maybe later), so I have to restrict its access to just connections from the "ljtest" user.

I thought this would be easy with netfilter:

# iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 11211 -m owner \! --uid-owner 1033 -j DROP

But....

iptables: Invalid argument

So, I find Debian stable's is old (1.2.6a). I build the latest version and get:

iptables v1.2.8: Unknown arg `--dport'

(but --dport should be loaded implicitly by -p tcp)

So I look at the relevant code and find:
/* If you listen carefully, you can
   actually hear this code suck. */

/* some explanations (after four different bugs
 * in 3 different releases): If we encounter a
 * parameter, that has not been parsed yet,
 ... [snipped] ....

Great. *yawn*

Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d 127.0.0.1 -j DROP

Update #2: But it can't reload this config later. Filed a bug.
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 5 comments