iptables --match owner

[da410li]

Hallo all!

BT4 final, trying to set up firewall to deny DNS leaks when using Tor.
I want to run Tor as user "daemon" and allow only this user to communicate:

iptables --insert OUTPUT --match owner --uid-owner daemon --jump ACCEPT

responded:

iptables: No chain/target/match by that name


I looked around and noticed that in /lib/modules/2.6.30.9/kernel/net/ipv4/netfilter where are modules for iptables isn't ipt_owner.ko module (and some others, compared to BackTrack 3).

What to do to make "iptables --match owner" working?

Dali

[da410li]

I find out that there is in BT4 kernel configuration disabled compilation of "match owner" extension for iptables. (why?)
After compilation of it and running depmod it is working.

Dali

[Gitsnik]

(why?)

Because at a guess BT isn't meant to be a desktop distro? I don't know.

For those of you trying not to recompile stuff:

Code:

iptables -A OUTPUT -p tcp -d tornodeip --dport torport -j ACCEPT
iptables -A OUTPUT -j DROP

You will need to correct the two commands slightly to ensure that they work, but the gist is there. You could also have just done something similar to:

Code:

iptables -A OUTPUT -p tcp --dport 53 -j DROP
iptables -A OUTPUT -p udp --dport 53 -j DROP

Technically all of the information lookups should be pushed through Tor - that's what privoxy and the like are for - the only information leaving your machine should be to the tor server and port.