Redirect DNS by UID

[techbert]

Noob user here. I have a single box on which I just installed Fedora 11. It is used by both adults and children. I would like to use OpenDNS for the kids, but it's one size fits all nature can be a pain. Looking through information on iptables, it is my understanding that you can redirect IPs and ports by UID and GroupID. So if I can redirect DNS requests for the kid's logins, it would leave unfiltered resolution for the adults. I have seen single examples of each iptables command parameter , but not any that are "chained" the way I was looking for. And of course my own attempts gave no joy. Can anyone point me in the right direction? Many thanks in advance.

[Lazydog]

What do you mean with "chained"?
Ipables should be able to do what you want.

HERE is a tutorial for IPTABLES.

[techbert]

Came up with the following, tried variations on a theme, but got the same response:

# iptables -t nat -I PREROUTING -i 0/0 -m owner --gid-owner 1001 -p udp --dport 53 -j DNAT --to-destination 208.67.222.222
iptables: Invalid argument

[Lazydog]

'-i o/o' is incorrect. it should be '-i eth0' if the interface where you are filtering on is eth0. '-i' is looking for the interface.

Do have another, question what do you expect to reslove by splitting up which DNS server is used?

[techbert]

I thought (incorrectly) that I was filtering the interface ip address, and read that 0/0 was for all ip addresses. As I mentioned in my first post, I am looking to force the children onto OpenDNS where I can filter content, but not have to manually change DNS settings when I use the computer. Thanks for the information. I will give it a whirl.

[Lazydog]

"-i" = Interface
"-s" = Source port
"-d" = Destination port

This is all listed in the TUTORIAL link I posted for you.

If you are looking to filter content then why not just install a proxy?

[HROAdmin26]

From the iptables man page:

Code:

owner
       This module attempts to match various characteristics of the packet creator, for locally generated packets. This  match  is  only
       valid  in  the  OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket associated with them. Packets from kernel
       threads do have a socket, but usually no owner.

For content filtering, a proxy such as Squid is much more powerful/flexible. You can also find prebuilt virtual machine "appliances" with OS/Squid already configured.