per user routing (with iptables and iproute2)

humbaba123 · 12-21-2010, 11:58 AM

Hi,

I would like to set up a routing scheme, that allows to route traffic generated by a special user through a different network/network card. I have two network cards (eth0 and eth1), both of which have access to the internet (through a router). The default route goes through eth1 and the traffic of the special user should be routed through eth0.

I have tried the following iptables/iproute2 rules:

iptables -A OUTPUT -t mangle -m owner --uid-owner 1000 -j MARK --set-mark 1
ip rule add fwmark 1 table user1000
ip route add default dev eth0 table user1000
ip route flush cache

This however does not work for me. I can ping the router of the network connected to eth0, but i cannot access the internet (through e.g. ping www.google.de or a webbrowser).

I am a newbie to iptables and iproute2 and am kind of stuck at the moment. I would really appreciate any tips or hits.

Is there maybe another possibility to achieve per user (or per application) routing?

Thanks
Humbaba

nimnull22 · 12-22-2010, 08:35 AM

How many users can simultaneously go online from this Linux box?

humbaba123 · 12-23-2010, 08:33 AM

At the moment its only two users. But, i only want to route the traffic of one special user.

DrLove73 · 01-10-2011, 03:46 PM

You probably need masquerade rules.

If that is not the problem, then use Shorewall in Multy-ISP mode.

dyinman · 08-08-2011, 05:45 PM

Bump. I've tried about the same thing (marking packets, then using iproute2) but I get the same results. Additionally, pinging an external server works fine... but as soon as I try a traceroute or anything else, it fails. Obviously DNS lookups fail too.

DrLove73 · 08-09-2011, 03:16 PM

What I in esence use with Shorewall is this:

Code:

:br0_snat - [0:0]
iptables -A POSTROUTING -o br0 -j br0_snat 
iptables -A br0_snat -m owner --uid-owner jdownloader1 -j SNAT --to-source 192.168.219.115 
iptables -A br0_snat -m owner --uid-owner jdownloader2 -j SNAT --to-source 192.168.219.125 
iptables -A br0_snat -m owner --uid-owner jdownloader3 -j SNAT --to-source 192.168.219.135 
iptables -A br0_snat -m owner --uid-owner jdownloader4 -j SNAT --to-source 192.168.219.145 
iptables -A br0_snat -m owner --uid-owner jdownloader5 -j SNAT --to-source 192.168.219.155

And it is basically all that you should need to redirect traffic to secondary addresses.

Then use routing to redirect traffic that has those IP's as sources. I would recommend using some other box in between for actual routing for easier setup.

I always used specialized routers, or Shorewall Multi-ISP, not messing with Linux routing manualy so I will not be helping you with actual routing issue, but most of the routing issues is created when packet goes out one way and reply comes back the other way, so you need to make sure that packets are accepted on the correct interface AND IP. This part is why I suggest Shorewall Multi-ISP, since it deals with replies automaticaly.