# [SOLVED] iptables --uid-owner (exempt users)

## Joseph_sys

I'm setting up dansguardian using iptables and I want to except two users, I know the general command is:

```
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner EXEMPT_USER -j ACCEPT
```

If I want to exempt two users do I enter two lines, eg:

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner joseph -j ACCEPT

or can I enter them in one line, separating the users by comma or a space? eg.

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root joseph -j ACCEPT

Does user "squid" needs to be exempted?Last edited by Joseph_sys on Sat Jan 16, 2010 8:32 pm; edited 1 time in total

----------

## causality

It would need to be two separate "iptables" commands, one for each user.  From the iptables man page:

 *Quote:*   

>    owner
> 
>        This  module  attempts to match various characteristics of the packet creator, for locally generated packets. This match is only valid
> 
>        in the OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from  kernel  threads  do
> ...

 

Commands that can take multiple arguments usually show a syntax more like (making up an example) "--uid-owner username[,username2 ...]".  Had you tried to use the iptables command with "owner" specifying multiple users, it wouldn't harm anything.  It would just complain about invalid syntax and fail with an error message.  When iptables complains about an error (as opposed to a warning) like that, it won't modify the firewall rules at all.

I have not seen your other firewall rules but it sounds like you are denying all outbound traffic by default.  Specifically, it sounds like you have set the policy to DENY for the OUTBOUND chain.  If that's the case, you'll need to add a rule for each user that is allowed to transmit outbound traffic.  The username under which your Squid proxy runs would need its own rule too, or else Squid won't be able to communicate with Web sites.

FYI, if you are denying all outbound traffic by default, you will also need to add rules to allow things like DNS traffic.  These rules can also be user-specific with the "owner" module if you wish.  Without those, your exempted users will not be able to resolve the hostnames of the Web sites you try to reach even though they are allowed to use port 80.  The exact DNS rule(s) you will need depends on how your DNS is set up.  You may also need to know whether Squid is doing all the DNS resolution or whether it is expecting IP addresses from its clients.

----------

## Joseph_sys

 *causality wrote:*   

> [snip]
> 
> I have not seen your other firewall rules but it sounds like you are denying all outbound traffic by default.  Specifically, it sounds like you have set the policy to DENY for the OUTBOUND chain.  If that's the case, you'll need to add a rule for each user that is allowed to transmit outbound traffic.  The username under which your Squid proxy runs would need its own rule too, or else Squid won't be able to communicate with Web sites.
> 
> FYI, if you are denying all outbound traffic by default, you will also need to add rules to allow things like DNS traffic.  These rules can also be user-specific with the "owner" module if you wish.  Without those, your exempted users will not be able to resolve the hostnames of the Web sites you try to reach even though they are allowed to use port 80.  The exact DNS rule(s) you will need depends on how your DNS is set up.

 

I'm just following old but good article how to setup squid + dansguardian + iptable from:

http://www.linux.com/archive/articles/113733

so you are correct, I'll allow squid, root and joseph to be except from filtering anybody else goes through filtering.

```
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner joseph -j ACCEPT

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
```

This machine is not use for surfing the net but only to allow/accept submit and/or receive information from one or two web-sites; so I'll use dansguardian to accomplish this.

----------

