| View previous topic :: View next topic |
| Author |
Message |
salmonix
Guru
Joined: 16 Jul 2006
Posts: 410
|
 Posted: Mon Nov 30, 2009 12:10 pm Post subject: 'Separating 2 gw functionally' problem [SOLVED] |
 |
|
Hi there,
I need some help to solve the following scenario:
Given a PCbox with 4 NICs (also a router and a firewall). They are:
eth0 - connected directly to the NET via a modem. It gets dynamic IP from the ISP and defined as default gw
eth1 - living on subnet 192.168.5.0, and also connected to the NET via a router (simply saying), and defined as gw for the subnet via 192.168.5.1 (the router)
Rest of the NICs are other LAN NICS, not important here.
Now, I would like to restrict some applications to listen to eth1 only and do traffic via that card - something like having 2 default gw: everything related to eth1 should be directed to 192.168.5.1, even if it is about reaching the outer world - eg. contacting a server out there or opening pages.
All the rest of apps should use eth0 to reach the net, as normal.
This is the present routing situation:
| Quote: | Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.5.0 192.168.5.1 255.255.255.0 UG 0 0 0 eth1
192.168.5.0 * 255.255.255.0 U 0 0 0 eth1
10.99.40.0 * 255.255.255.0 U 0 0 0 eth5
192.168.10.0 * 255.255.255.0 U 0 0 0 pan0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth5
loopback * 255.0.0.0 U 0 0 0 lo
default 10.99.40.254 0.0.0.0 UG 0 0 0 eth5 |
_________________
Quis custodiet ipsos, custodes?
Last edited by salmonix on Mon Dec 07, 2009 4:09 pm; edited 1 time in total |
|
| Back to top |
|
 |
luispa
Guru
Joined: 17 Mar 2006
Posts: 359
Location: España
|
| Posted: Tue Dec 01, 2009 7:01 pm Post subject: |
|
|
You may try it using the "user id" and iptables mangle.
First, create a secondary routing table:
| Code: | echo "200 MyTable" >> /etc/iproute2/rt_tables
ip route del 192.168.5.0/24 dev eth1 table MyTable
ip route add 0.0.0.0/0 via 192.168.5.1 table MyTable
|
Now, let's say you have a user which user id is 1500, then you force that each packet generated by such user will be marked with 1500, and that every packet market as such has to look first in this second routing table.
| Code: | iptables -A OUTPUT -t mangle -m owner --uid-owner 1500 -j MARK --set-mark 1500
ip rule add fwmark 1500 table MyTable
|
BTW, what you want is the option --pid-owner <processid>. I tried it in the past without success. Try yourself anyway, and report if you have success.
Luis |
|
| Back to top |
|
|
salmonix
Guru
Joined: 16 Jul 2006
Posts: 410
|
| Posted: Wed Dec 02, 2009 8:16 am Post subject: |
|
|
'm on it...
_________________
Quis custodiet ipsos, custodes? |
|
| Back to top |
|
|
salmonix
Guru
Joined: 16 Jul 2006
Posts: 410
|
|
| Back to top |
|
|
luispa
Guru
Joined: 17 Mar 2006
Posts: 359
Location: España
|
| Posted: Tue Dec 08, 2009 9:53 am Post subject: |
|
|
Hi, the problem I had was with "-m owner --pid-owner <n>" not working. Long I ago I tried it without sucess, no matter which CHAIN.
I've re-tried today but seen that this option has been removed from iptables.
Luis |
|
| Back to top |
|
|
salmonix
Guru
Joined: 16 Jul 2006
Posts: 410
|
| Posted: Tue Dec 08, 2009 12:54 pm Post subject: |
|
|
| luispa wrote: | Hi, the problem I had was with "-m owner --pid-owner <n>" not working. Long I ago I tried it without sucess, no matter which CHAIN.
I've re-tried today but seen that this option has been removed from iptables.
Luis |
Its man page states that -m owner --uid-owner etc. are valid in OUTPUT chain only and I see the 'owner' extension option in menuconfig - probably you have to explicitly mark it (2.6.2x kernel I use) and recompile the kernel. It is there at least for me.
The ideas above work partially, at least outgoing traffic is now routed to the desired destination. Unfortunately it is in OUTPUT chain and thus its source IP is set to main table default gw - so the packages go out one direction and would come back on an other, but it is silly for the apps are watching the output NIC only. (Checked with iptraf)
_________________
Quis custodiet ipsos, custodes? |
|
| Back to top |
|
|
|
Networking & Security
