LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   per user routing (with iptables and iproute2) (https://www.linuxquestions.org/questions/linux-networking-3/per-user-routing-with-iptables-and-iproute2-851622/)

humbaba123 12-21-2010 11:58 AM
per user routing (with iptables and iproute2)
 
Hi,

I would like to set up a routing scheme, that allows to route traffic generated by a special user through a different network/network card. I have two network cards (eth0 and eth1), both of which have access to the internet (through a router). The default route goes through eth1 and the traffic of the special user should be routed through eth0.

I have tried the following iptables/iproute2 rules:

iptables -A OUTPUT -t mangle -m owner --uid-owner 1000 -j MARK --set-mark 1
ip rule add fwmark 1 table user1000
ip route add default dev eth0 table user1000
ip route flush cache


This however does not work for me. I can ping the router of the network connected to eth0, but i cannot access the internet (through e.g. ping www.google.de or a webbrowser).

I am a newbie to iptables and iproute2 and am kind of stuck at the moment. I would really appreciate any tips or hits.

Is there maybe another possibility to achieve per user (or per application) routing?

Thanks
Humbaba

nimnull22 12-22-2010 08:35 AM
How many users can simultaneously go online from this Linux box?

humbaba123 12-23-2010 08:33 AM
At the moment its only two users. But, i only want to route the traffic of one special user.

DrLove73 01-10-2011 03:46 PM
You probably need masquerade rules.

If that is not the problem, then use Shorewall in Multy-ISP mode.

dyinman 08-08-2011 05:45 PM
Bump. I've tried about the same thing (marking packets, then using iproute2) but I get the same results. Additionally, pinging an external server works fine... but as soon as I try a traceroute or anything else, it fails. Obviously DNS lookups fail too.

DrLove73 08-09-2011 03:16 PM
What I in esence use with Shorewall is this:

Code:
:br0_snat - [0:0]
iptables -A POSTROUTING -o br0 -j br0_snat
iptables -A br0_snat -m owner --uid-owner jdownloader1 -j SNAT --to-source 192.168.219.115
iptables -A br0_snat -m owner --uid-owner jdownloader2 -j SNAT --to-source 192.168.219.125
iptables -A br0_snat -m owner --uid-owner jdownloader3 -j SNAT --to-source 192.168.219.135
iptables -A br0_snat -m owner --uid-owner jdownloader4 -j SNAT --to-source 192.168.219.145
iptables -A br0_snat -m owner --uid-owner jdownloader5 -j SNAT --to-source 192.168.219.155
And it is basically all that you should need to redirect traffic to secondary addresses.

Then use routing to redirect traffic that has those IP's as sources. I would recommend using some other box in between for actual routing for easier setup.

I always used specialized routers, or Shorewall Multi-ISP, not messing with Linux routing manualy so I will not be helping you with actual routing issue, but most of the routing issues is created when packet goes out one way and reply comes back the other way, so you need to make sure that packets are accepted on the correct interface AND IP. This part is why I suggest Shorewall Multi-ISP, since it deals with replies automaticaly.


All times are GMT -5. The time now is 11:56 PM.