netfilter

I want to run a memcached process on a shared server (goathack), listening on 127.0.0.1:11211, but memcached doesn't have any sort of authentication (maybe later), so I have to restrict its access to just connections from the "ljtest" user.

I thought this would be easy with netfilter:

# iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 11211 -m owner \! --uid-owner 1033 -j DROP

But....

iptables: Invalid argument

So, I find Debian stable's is old (1.2.6a). I build the latest version and get:

iptables v1.2.8: Unknown arg `--dport'

(but --dport should be loaded implicitly by -p tcp)

So I look at the relevant code and find:

/* If you listen carefully, you can
   actually hear this code suck. */

/* some explanations (after four different bugs
 * in 3 different releases): If we encounter a
 * parameter, that has not been parsed yet,
 ... [snipped] ....

Great. *yawn*

Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d 127.0.0.1 -j DROP

Update #2: But it can't reload this config later. Filed a bug.

Post a new comment
Error
Anonymously

Log in

default userpic

Your reply will be screened

Your IP address will be recorded

When you submit the form an invisible reCAPTCHA check will be performed.
You must follow the Privacy Policy and Google Terms of use.

Preview comment

Help
5 comments

Post a new comment
5 comments

netfilter

Ukraine

Happy Birthday!

hi

Error