iptables match based on source security context?
Christoph A.
casmls at gmail.com
Fri Apr 15 18:50:47 UTC 2011
On 04/15/2011 06:38 PM, Mark Montague wrote:
> On April 15, 2011 12:16 , "Christoph A." <casmls at gmail.com> wrote:
>> I'd like to redirect traffic (for transparent proxying) coming from a
>> program running in a sandbox_net_t (or sandbox_web_t) sandbox, but as
>> far as I've seen there is no possibility to match/mark packets based on
>> there local security context origin.
>
> iptables rules that match packets based on their security contexts is a
> bad idea for several reasons. For a discussion of these reasons, a list
> of alternative resources, examples, and a netfilter module that will do
> what you're asking for if you decide to ignore the reasons why this is
> bad and do it anyway, see https://github.com/markmont/xt_selinux
Thanks for the URL. I'll use xt_selinux only if there is no other way.
> If at all possible, use the advice Dan already sent:
>> I am not sure about proxying, but you can force all packets from the
>> sandbox to go to a proxy server and block them if they tried to go
>> direct.
How would I force the redirect without xt_selinux?
The rule would look like this:
iptables -t nat -A OUTPUT [-needed match criteria-] -j REDIRECT
--to-ports 12345
the only missing part is the match criteria.
(by "redirect traffic" I meant '-j REDIRECT')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20110415/eb1dd26a/attachment.bin
More information about the selinux
mailing list