This option is part of an extended packet matching module. You need to load such modules explicitly (in many cases). Try including "--match owner" just before the --uid-owner argument. That should load the appropriate module. George Toft wrote: > Your assumption is correct - squid + DansGuardian > > I need a little help. > > I tried: > iptables -A OUTPUT -p TCP --dport 80 --uid-owner cff -j REJECT > and got this error: > iptables v1.3.3: Unknown arg `--uid-owner' > Try `iptables -h' or `iptables --help' for more information. > > I also tried > iptables -A OUTPUT -p TCP --dport 80 --uid-owner 1001 -j REJECT > with the same error. > > I looked in the man page, and it looks right to me: > --uid-owner userid > Matches if the packet was created by a process with the > given effective user id. > > What did I mess up? > > George Toft, CISSP, MSIS > 623-203-1760 > > > > Joshua Zeidner wrote: >> On 1/21/07, George Toft wrote: >> >>> I need to set up a Linux workstation (Computers for Families project) >>> that filters content. The workstation is an edubuntu install. Users >>> have a generic login, separate from the admin, and the root account is >>> locked. I added Squid and DansGuardian, which works perfectly once the >>> Firefox connection settings are set to 127.0.0.1:8080. Problem is that >>> any user can override this setting in their local profile. >>> >>> Is there an elegan way to prevent a user from changing this setting and >>> surfing the sites of ill repute? >>> >>> Kluge/Hackjob method 1: >>> I guess I could implement a cronjob that checks to see if firefox has >>> any established port 80 connections, then kills it. Pretty Draconian, >>> but it will get the point across. Make pref.js read-only for the user >>> which restores the proxy settings. Pretty inconvenient for the user :( >>> >>> >>> Thoughts? >> >> George, >> >> I am assuming you are running Squid and DansGaurdian as a >> different user than firefox( if not you should change it ). You >> should set iptables to block all packets with destination other than >> localhost:8080 from your browser user( use --uid-owner >> switch ). This will also stop them from using other applications to >> contact internet services of ill repute. >> >> -jmz >> >> > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- -Eric 'shubes' --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss