You are not logged in.
I would like to select specific network interface for application, but since that is technically impossible I'm running the wanted application with custom group and I try to select network interface for that group, but all the connections go thought the default route instead of my selected custom route.
#Create custom group
groupadd router
#Add forwarding for the group
iptables -t mangle -A OUTPUT -m owner --gid-owner router -j MARK --set-xmark 0xa
iptables -t nat -A POSTROUTING -o wlp3s0 -m mark --mark 0xa -j MASQUERADE
#Run some application as that group
su - -g router -c "curl http://www.telize.com/ip"
#Delete all changes
iptables -t mangle -D OUTPUT -m owner --gid-owner router -j MARK --set-xmark 0xa
iptables -t nat -D POSTROUTING -o wlp3s0 -m mark --mark 0xa -j MASQUERADE
groupdel router
Thanks in advance!
Last edited by oilgame (2014-01-25 17:01:18)
Offline
You'll need to set up policy based routing with two routing tables.
Some basic advice on how to set up the roting tables can be found here: https://bbs.archlinux.org/viewtopic.php?id=173767
You just need to adopt your rules to define which table should be looked up.
Offline
I came up with this, but second last command gives "RTNETLINK answers: File exists" or "RTNETLINK answers: No such process" and vpn user's processes don't get any kind of internet.
#Put mark 42 to vpn user's packets
iptables -t mangle -I OUTPUT -m owner --uid-owner vpn -j MARK --set-mark 42
iptables -t mangle -I OUTPUT -d 192.168.1.0/24 -m owner --uid-owner vpn -j RETURN
#Enable postrouting
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
#Get VPN's route, which is always /24 network's first IP
IP=`ifconfig tun0 | sed -n '2 p' | awk '{print $2}' | awk -F '.' '{print $1"."$2"."$3".1"}'`
#Route mark 42 via VPN using table 42
ip rule add fwmark 42 table 42
ip route add default via $IP table 42
#Disable RP filter
echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter
eth0:
ip: 192.168.1.2
netmask: 255.255.255.0
router: 192.168.1.1
tun0 (openVPN):
ip: 46.246.49.33 (DHCP)
netmask: 255.255.255.0
router: 46.246.49.1 (Variable, multiple server)
Offline
I'm also trying to get only one user to use the vpn interface, but have not been successful. When I start openvpn, the traffic of all users goes through tun0, not just the vpnuser.
I followed this guide to create some scripts that are supposed to route all traffic from the vpnuser only via tun0, but it doesn't work.
Last edited by miceagol (2014-02-06 21:09:28)
Offline