Need iptables rule to force outgoing interface

redss · 03-01-2010, 06:08 PM

I have 2 network connections (eth0 & rausb0) on my linux server. Both are internet facing.

Eth0 has ip address 192.168.0.10 and is a hardwired to a router connected a cable modem.

Rausb0 has ip address 192.168.1.10 and is wirelessly connected to a different router/access point which has internet through a different cable modem.

The routing table has the default gateway as 192.168.0.1, on interface eth0.

I want to run a socks proxy which will accept connections on eth0, and forward them out of rausb0 for the outgoing connections.

I am using the 3proxy socks proxy (http://3proxy.ru) with the following syntax:

socks -ieth0 -erausb0 -p1080

The syntax for -i and -e (via socks --help) is:
-iIP ip address or internal interface (clients are expected to connect)
-eIP ip address or external interface (outgoing connection will have this)

However, socks proxied connections through port 8083 are being forwarded out of eth0.

I expect there to be an iptables rule (perhaps -j SNAT) that would enforce that these outgoing connections use rausb0.

Please note that I only want the SOCKS PROXY to make outgoing connections on rausb0, but the SSH connections need to use the eth0 as the gateway.

Any ideas?

nimnull22 · 03-01-2010, 06:20 PM

Quote:

Originally Posted by redss

...
socks -ieth0 -erausb0 -p1080

The syntax for -i and -e (via socks --help) is:
-iIP ip address or internal interface (clients are expected to connect)
-eIP ip address or external interface (outgoing connection will have this)

However, socks proxied connections through port 8083 are being forwarded out of eth0.

Any ideas?

Tell please, does your proxy send traffic to port 1080, as you asked it to do "-p1080"?

troop · 03-01-2010, 06:27 PM

ip rule add fwmark 65 table hof
ip route add default via 192.168.1.10 dev tun0 table hof
iptables -t mangle -A PREROUTING -s 192.168.0.10 -p tcp -m tcp --dport 8083 -j MARK --set-mark 65
iptables -t mangle -A OUTPUT -s 192.168.0.10 -p tcp -m tcp --dport 8083 -j MARK --set-mark 65

troop · 03-01-2010, 06:33 PM

or just "iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8083 -j ROUTE --oif rausb0"
if patch-o-matic-ng is presented

redss · 03-01-2010, 06:45 PM

Thanks for your replies. Sorry for the typo, proxied connections are actually on port 8083, not 1080.

I don't have patch-o-matic-ng installed.

On the first command (ip rule add fwmark 65 table hof), I get

Quote:

Error: argument "hof" is wrong: invalid table ID

Is there a way to do this without installing extensions of some type?

nimnull22 · 03-01-2010, 06:53 PM

Can you tell, please, what do you want to archive by socks-proxy?

redss · 03-01-2010, 06:58 PM

Well, essentially what I want is for the socks proxy to send forwarded connections through a different interface than what the OS finds as the first default gateway in the routing table.

redss · 03-01-2010, 07:15 PM

troop: I was able to get the first command to succeed by executing

Quote:

echo 1 hof >> /etc/iproute2/rt_tables

But I'm stumped on the tun0 part of the 2nd command. I tried substituting rausb0 for tun0, but the end result was it didn't work.

Thanks for the replies, anything further I can try along these lines?

devwatchdog · 03-01-2010, 07:35 PM

redss -- from what I can see, your problem is somewhat similar to this one:

http://www.linuxquestions.org/questi...-links-787973/

The main difference, of course, being you are using a different proxy, but other than that, it looks pretty similar to me.

Check out the thread, and see if that might not provide at least some direction.

nimnull22 · 03-01-2010, 08:43 PM

I just want to suggest to look at normal socks proxy, which can send traffic to different GW.
Because problem is - your "proxy" has to use different GW from default. And that should be stated in its configuration file.

redss · 03-02-2010, 03:25 PM

Thanks everybody for the replies, I will need to read up on iproute2 marking and rerouting, which I know nothing about and won't have time to research today.

nimnull22: I thought I WAS using a socks proxy (3proxy) that can send traffic to a different gateway. If you know of one that does that, let me know.

nimnull22 · 03-02-2010, 05:12 PM

You know, I have read through its web site documentation, and did not found anything about routing.
But you have to keep in mind that to establish outgoing connection to internet any program need to specify a GW.
As long as you I suppose have only one GW in your routing table, even if socks sends them to "rausb0", wont go any farther, because interface mask is 255.255.255.0, and "rausb0" knows only about its network, which is 192.168.1.xxx.

From that point you definitely need iprouter2, to at least create two GW system. You can start from here:
http://lartc.org/howto/

Second question, how to mark connection which should be routed to another GW. You can't use incoming connection, because they terminate on your sock proxy and sock will start new connection from it self to relay requests. You can mark outgoing socks connection only by destination port, because destination IP and sources port can vary. And here also there is a problem, because socks proxy can connect to any ports and any IP, socks can relay not only http.

So I hope our community will give you suggestion, how to state, that everything what comes out of socks proxy should be routed to another GW. Right now I don't know.

Thanks

troop · 03-03-2010, 01:34 AM

# mark packets
iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 8083 -j MARK --set-mark 65
# marked packets to hof
ip rule add fwmark 65 table hof
# create second GW.
ip route add default dev rausb0 table hof

control with tcpdump and iptables -L -v -n (packets count)
ip route show table hof
ip rule show