||[Jun. 9th, 2003|11:57 pm]
I want to run a memcached process on a shared server (goathack), listening on 127.0.0.1:11211, but memcached doesn't have any sort of authentication (maybe later), so I have to restrict its access to just connections from the "ljtest" user.|
I thought this would be easy with netfilter:
# iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 11211 -m owner \! --uid-owner 1033 -j DROP
iptables: Invalid argument
So, I find Debian stable's is old (1.2.6a). I build the latest version and get:
iptables v1.2.8: Unknown arg `--dport'
(but --dport should be loaded implicitly by -p tcp)
So I look at the relevant code and find:
/* If you listen carefully, you can
actually hear this code suck. */
/* some explanations (after four different bugs
* in 3 different releases): If we encounter a
* parameter, that has not been parsed yet,
... [snipped] ....
Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d 127.0.0.1 -j DROP
Update #2: But it can't reload this config later. Filed a bug.
I've spent entire -days- wrangling netfilter before.
I'd like an hour alone with Rusty Russel and a staplegun.
2003-06-10 12:42 am (UTC)
Well, if there were something better we'd be using it, right?
**waits for ipfw people to tell us how much Linux sucks**
well, yeah. i just wish that when they did the entire filtering rewrite for 2.4 that resulted in netfilter (kernelside) and iptables (userspace), they had taken a hint from someone who had managed to get it right.
maybe one day i'll get around to writing that script i've been meaning to make that will convert cisco acls to iptables lines so i'll never have to think about it again.
well, when I started looking for a fix for this problem, this was not where I expected to find it.
next time, I'll just assume you know everything, and send you an email first. =)
2003-06-19 11:38 pm (UTC)
... it's ... a small Net ... affff-ter all.....