[lug] firewall trickery

Daniel Webb lists at danielwebb.us
Tue Jan 31 09:22:15 MST 2006

Well, I realize the advanced routing list might be a better place for this,
but I'm not a subscriber, so:

Suppose I am port forwarding a bunch of ports to the SSH port using
iptables mangle PREROUTING.  This is done so that each port can be
assigned to a different user, and each user can then have a different
qdisc class for the purposes of bandwidth allocation.

Now I have a problem: how can I prevent users from using other users'
ports since all the ports just forward to ssh?

There are two ways I have thought of, and I don't really know if either
is feasible:

1) Can userspace applications see the fwmark set by iptables?  If so, I
could patch openssh to check that a fwmark is correct during connection

2) Set a fwmark based on PID owner match in the OUTPUT table,
then do something with that.  Here's where I'm over my head again.
The trickiness is due to the way packets traverse the kernel.  PID owner
match only works on outgoing packets (obviously), but the port of the
outgoing packet isn't un-NATed until *after* the mangle POSTROUTING
table.  I know I've read that only some packets go through the nat
POSTROUTING table, maybe just the first packet in a connection?  The
more elegant solution would be to drop packets where owner PID and
outgoing port don't match, but I'm not sure if there's anywhere I can do
that.  Do any un-NATed packets go through the outgoing nat POSTROUTING

I have read all the iptables docs I could find, and I can't find
the answers to:
  * Exactly which packets traverse nat POSTROUTING?
  * Exactly where in the packet traversal diagram is port forwarding

More information about the LUG mailing list