[TriLUG] Sendmail doesn't send mail on first attempt?...

[Daniel Sterling]

Brian Henning wrote:
> iptables doesn't have per-user ability, does it?  I thought it only
> examined packet headers, which I didn't think had any info about local
> user in them..

iptables has access to any information the kernel has about the packet,
and can indeed route packets based on user id. For example, to set up a
transparent proxy, I've got the following rule:
$ sudo /sbin/iptables -t nat -L
...
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             anywhere            ! OWNER UID
match proxy tcp dpt:www redir ports 3128

Which redirects port 80 to port 3128 for all packets except packets
generated by the proxy user.

> I can't access a shell from that account (which is sensible)

You should be able to with e.g.

sudo su smmsp -s /bin/bash

-- Dan

> I can, however, telnet to strutmasters.net:25 from a
> standard unprivileged account.

cool, does this work? another thing you can do is fire up your favorite
packet sniffer and see what's going out on the wire.

-- Dan