netfilter
I want to run a memcached process on a shared server (goathack), listening on 127.0.0.1:11211, but memcached doesn't have any sort of authentication (maybe later), so I have to restrict its access to just connections from the "ljtest" user.
I thought this would be easy with netfilter:
# iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 11211 -m owner \! --uid-owner 1033 -j DROP
But....
iptables: Invalid argument
So, I find Debian stable's is old (1.2.6a). I build the latest version and get:
iptables v1.2.8: Unknown arg `--dport'
(but --dport should be loaded implicitly by -p tcp)
So I look at the relevant code and find:
Great. *yawn*
Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d 127.0.0.1 -j DROP
Update #2: But it can't reload this config later. Filed a bug.
I thought this would be easy with netfilter:
# iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 11211 -m owner \! --uid-owner 1033 -j DROP
But....
iptables: Invalid argument
So, I find Debian stable's is old (1.2.6a). I build the latest version and get:
iptables v1.2.8: Unknown arg `--dport'
(but --dport should be loaded implicitly by -p tcp)
So I look at the relevant code and find:
/* If you listen carefully, you can actually hear this code suck. */ /* some explanations (after four different bugs * in 3 different releases): If we encounter a * parameter, that has not been parsed yet, ... [snipped] ....
Great. *yawn*
Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d 127.0.0.1 -j DROP
Update #2: But it can't reload this config later. Filed a bug.
