You are not logged in.

#1 2014-01-10 15:17:34

oilgame
Member
Registered: 2010-01-19
Posts: 40

Selecting network interface for specific user/group/process

I would like to select specific network interface for application, but since that is technically impossible I'm running the wanted application with custom group and I try to select network interface for that group, but all the connections go thought the default route instead of my selected custom route.

#Create custom group
groupadd router
#Add forwarding for the group 
iptables -t mangle -A OUTPUT -m owner --gid-owner router -j MARK --set-xmark 0xa
iptables -t nat -A POSTROUTING -o wlp3s0 -m mark --mark 0xa -j MASQUERADE
#Run some application as that group
su - -g router  -c "curl http://www.telize.com/ip"
#Delete all changes
iptables -t mangle -D OUTPUT -m owner --gid-owner router -j MARK --set-xmark 0xa
iptables -t nat -D POSTROUTING -o wlp3s0 -m mark --mark 0xa -j MASQUERADE
groupdel router

Thanks in advance!

Last edited by oilgame (2014-01-25 17:01:18)

Offline

#2 2014-01-10 15:29:16

teekay
Member
Registered: 2011-10-26
Posts: 270

Re: Selecting network interface for specific user/group/process

You'll need to set up policy based routing with two routing tables.

Some basic advice on how to set up the roting tables can be found here: https://bbs.archlinux.org/viewtopic.php?id=173767
You just need to adopt your rules to define which table should be looked up.

Offline

#3 2014-01-25 16:59:54

oilgame
Member
Registered: 2010-01-19
Posts: 40

Re: Selecting network interface for specific user/group/process

I came up with this, but second last command gives "RTNETLINK answers: File exists" or "RTNETLINK answers: No such process" and vpn user's processes don't get any kind of internet.

#Put mark 42 to vpn user's packets
iptables -t mangle -I OUTPUT -m owner --uid-owner vpn -j MARK --set-mark 42
iptables -t mangle -I OUTPUT -d 192.168.1.0/24 -m owner --uid-owner vpn -j RETURN

#Enable postrouting
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

#Get VPN's route, which is always /24 network's first IP
IP=`ifconfig tun0 | sed -n '2 p' | awk '{print $2}' | awk -F '.' '{print $1"."$2"."$3".1"}'`

#Route mark 42 via VPN using table 42
ip rule add fwmark 42 table 42
ip route add default via $IP table 42

#Disable RP filter
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter

eth0:
ip: 192.168.1.2
netmask: 255.255.255.0
router: 192.168.1.1

tun0 (openVPN):
ip: 46.246.49.33 (DHCP)
netmask: 255.255.255.0
router: 46.246.49.1 (Variable, multiple server)

Offline

#4 2014-02-06 21:08:53

miceagol
Member
Registered: 2014-02-06
Posts: 1

Re: Selecting network interface for specific user/group/process

I'm also trying to get only one user to use the vpn interface, but have not been successful. When I start openvpn, the traffic of all users goes through tun0, not just the vpnuser.

I followed this guide to create some scripts that are supposed to route all traffic from the vpnuser only via tun0, but it doesn't work.

Last edited by miceagol (2014-02-06 21:09:28)

Offline

Board footer

Powered by FluxBB