You are not logged in.
- Topics: Active | Unanswered
#1 2016-02-17 19:09:35
- msalerno
- Member
- Registered: 2014-08-15
- Posts: 32
Iptables or Proxy or Impossible ?
I have an arch linux router with multiple gateways that utilizess policy based routing to direct traffic. One of the gateways is a VPN that terminates in a different country. I want to watch media streams that are geo-restricted. In order to watch the streams, my connections need to originate in the country that streams the media, hence the VPN. If I direct all traffic through the VPN the streams work perfectly but then I run into issue where services like Youtube or Netfilx will restrict access based on the connection origin. If I setup a policy to route the connections destined for an IP that resolves to the domain name of the stream source it does not work due to the fact that the browser opens additional connections to connect to the streams which come from different servers.
Would iptables Conntrack solve this issue? I'm not sure how related packets are marked.
Thanks
Offline
#2 2016-02-17 20:21:06
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: Iptables or Proxy or Impossible ?
No, conntrack would not help, because these are separate connections.
A "SOCKS" proxy is your standard answer.
An alternative would be to run your browser as a particular group, and then iptables can identify that group.
Offline
#3 2016-02-18 14:31:01
- msalerno
- Member
- Registered: 2014-08-15
- Posts: 32
Re: Iptables or Proxy or Impossible ?
Wouldn't a Socks Proxy redirect all HTTP/HTTPS traffic rather than the streams that should use the VPN? Also, this is a headless router, so I don't believe setting a group would solve this problem.
I think that the only solution would be to use packet marking. I'm not sure if this is possible in IPtables, but I think this may be the only way, especially since it's a set top box and would only be displaying one thing at a time.
Sorry, this is the only way I can think of to represent my concept.
If (outgoing packet from source IP matches the destination of stream source domain ip){
Mark all packets from source to use VPN
)
If (outgoing packet from source IP matches the destination of youtube source domain ip){
Mark all packets from source to use standard gw
)
If (outgoing packet from source IP matches the destination of netflix source domain ip){
Mark all packets from source to use standard gw
)
...The above method is far from optimal since I would need to check for each new streaming source although since it's a streaming device it would be possible.
Offline