LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 03-02-2010, 11:29 PM   #1
xamindar
LQ Newbie
 
Registered: Jun 2004
Location: california
Posts: 3

Rep: Reputation: 0
Send traffic from one application out a specific interface?


I have a server set up with various services and it has two different internet links. One is through eth0 and the other is through eth1.
eth0 is the default route.

I am trying to set up deluge to use ONLY the eth1 interface for all it's traffic but I can't seem to get it to work.
I tried following the howto here: http://linux-ip.net/html/adv-multi-internet.html
and just modifying it to my application but it isn't working.

Here is the firewall script I have set up on this machine. Trying to keep it simple right now and will expand it as I set everything up.
Again, I am trying to have everything go out eth0 EXCEPT deluge traffic in which I want to go out(and come back in) eth1. But I must be missing something.
Code:
#!/bin/bash

## Variables applying to the system
IPTABLES='/sbin/iptables'
### Modules needed, just add one per line.
MODULES="ip_tables 
	 iptable_nat
	 ip_nat_ftp
	 ip_conntrack_ftp"
for i in $MODULES;
do 
 echo "Inserting module $i"
 modprobe $i
done

# Flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
# Set the default policies for the chains
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

### Set up the firewall rules
# Allow all connections established by me (because default is to drop)
$IPTABLES -t filter -A INPUT -i lo -j ACCEPT
# Allow anything from trusted lan1 to this box
$IPTABLES -t filter -A INPUT -i eth0 -j ACCEPT
# Allow anything from outside of lan2 in if connection is already established 
$IPTABLES -t filter -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

######################################################################
#########The following is for routing to specific interfaces##########
######################################################################
DTABLE=3
STABLE=main
MARK=3

#Create a second routing table with a new default gateway for the second interface (eth1)
ip route flush table $DTABLE
ip route show table $STABLE | grep -Ev '^default' \
  | while read ROUTE ; do
    ip route add table $DTABLE $ROUTE
done

IP1=192.168.1.253 #IP on eth1
P1=192.168.1.254 #Gateway on eth1

ip route add default via $P1 table $DTABLE
ip rule add from $IP1 table $DTABLE
ip rule add fwmark $MARK table $DTABLE


#Mark deluged torrent packets so they will be used by the new routing table
$IPTABLES -t mangle -A OUTPUT -m owner --uid-owner deluge -j MARK --set-mark $MARK

$IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.253


#######################################################################
###############END INTERFACE ROUTING###################################
#######################################################################
I have it create a second routing table and then the iptables rules are supposed to mark it to go out using that routing table. But I must have something wrong here. It seems they go out but can't get back in.
Code:
~ # ip route show table 3
172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.3  metric 2
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.253  metric 2005
127.0.0.0/8 via 127.0.0.1 dev lo
default via 192.168.1.254 dev eth1
~ # ip route show table main
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.253  metric 2005
172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.3  metric 2
127.0.0.0/8 via 127.0.0.1 dev lo
default via 172.16.0.1 dev eth0  metric 2
default via 192.168.1.254 dev eth1  metric 2005
Code:
~ # ip rule show
0:      from all lookup local
32764:  from all fwmark 0x3 lookup 3
32765:  from 192.168.1.70 lookup 3
32766:  from all lookup main
32767:  from all lookup default
With all this I'm not quite sure how it all fits together. Could someone help me out here? Thanks in advance.

EDIT: corrected eth1 ip address to current one.

Last edited by xamindar; 03-03-2010 at 07:23 AM.
 
Old 03-03-2010, 04:58 AM   #2
leslieviljoen
LQ Newbie
 
Registered: Sep 2008
Posts: 10

Rep: Reputation: 1
One thing to remember is that Deluge is going to be accepting NEW incoming connections. You need to make sure those new incoming connections are allowed, and are coming in on the right interface.

When you say it is not working, can you be more specific? You should be able to use tcpdump to confirm which interface things are happening on. Try watching a normal conversation with a specific peer over the default gateway and no firewall, then set up your firewall and watch another conversation with a peer to understand what is happening.
 
Old 03-03-2010, 07:21 AM   #3
xamindar
LQ Newbie
 
Registered: Jun 2004
Location: california
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by leslieviljoen View Post
One thing to remember is that Deluge is going to be accepting NEW incoming connections. You need to make sure those new incoming connections are allowed, and are coming in on the right interface.
I tried removing the default drop clauses in the firewall so there was nothing blocking anything from receiving new connections and it didn't change a thing. Something with the marking is preventing it from working correctly or I am missing something. I can't find any info online on how to really do this so maybe it is impossible.

Code:
$IPTABLES -t mangle -A OUTPUT -m owner --uid-owner deluge -j MARK --set-mark $MARK

$IPTABLES -t nat -A POSTROUTING -o $EVILIF -j SNAT --to-source $IP1
When those lines are removed deluge is able to work again (with the default route on eth0 which is not what I want). I can't believe how hard it is to get one program to use a specific interface. It sounded like an easy thing when I started but turned out the complete opposite.

If I run tcpdump on eth1 I get a lot of this:
Code:
04:16:41.381988 IP 79.103.172.93.22116 > 192.168.1.253.65123: UDP, length 56
04:16:41.415829 IP 81.102.111.72.16005 > 192.168.1.253.candp: Flags [S.], seq 1126976333, ack 4063673460, win 5792, options [mss 1418,sackOK,TS val 3085181774 ecr 2879983,nop,wscale 6], length 0
04:16:41.489227 IP 172.16.0.3.65123 > 58.12.63.253.25359: Flags [S.], seq 4094652537, ack 2584070184, win 5840, options [mss 1460,nop,nop,sackOK], length 0
04:16:41.510773 IP 192.168.1.253.46243 > 62.31.148.26.17773: Flags [S], seq 4243710982, win 5840, options [mss 1460,sackOK,TS val 2881017 ecr 0,nop,wscale 6], length 0
04:16:41.520500 IP 192.168.1.253.45387 > 95.160.214.219.17177: Flags [S], seq 4194907818, win 5840, options [mss 1460,sackOK,TS val 2881018 ecr 0,nop,wscale 6], length 0
04:16:41.553812 ARP, Request who-has 192.168.1.254 (Broadcast) tell 192.168.1.71, length 46
04:16:41.570963 IP 192.168.1.253.35494 > 88.195.83.220.47001: Flags [S], seq 4251066667, win 5840, options [mss 1460,sackOK,TS val 2881023 ecr 0,nop,wscale 6], length 0
But I'm not sure what that means. Looks like it's communicating. In the deluge ui it shows a low amount of connections (around 90 out of a possible 400)which constantly fluctuates. It never receives or sends any actual data though. So it seems deluge is trying to establish connections but fails or they time out.
 
Old 03-03-2010, 11:18 AM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by xamindar View Post
...
I am trying to set up deluge to use ONLY the eth1 interface for all it's traffic but I can't seem to get it to work.
...

EDIT: corrected eth1 ip address to current one.

Can you tell, please, which direction traffic will be expected. Outgoing only, or incoming as well?

And another question: does a user "deluge" exist?

Thanks

Last edited by nimnull22; 03-03-2010 at 11:31 AM.
 
Old 03-03-2010, 07:34 PM   #5
xamindar
LQ Newbie
 
Registered: Jun 2004
Location: california
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nimnull22 View Post
Can you tell, please, which direction traffic will be expected. Outgoing only, or incoming as well?

And another question: does a user "deluge" exist?

Thanks
Yes outgoing and incoming. And yes the deluge user exists (hence the "-m owner --uid-owner deluge"). The deluged daemon is run under that user. But if there is a better way to mark packets I'm all ears. It doesn't seem to be working this way.
 
Old 09-11-2010, 03:10 PM   #6
ericje
LQ Newbie
 
Registered: Sep 2010
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by xamindar View Post
Yes outgoing and incoming. And yes the deluge user exists (hence the "-m owner --uid-owner deluge"). The deluged daemon is run under that user. But if there is a better way to mark packets I'm all ears. It doesn't seem to be working this way.
(this reply is a little late, but I found this post with google, and other people might find the following useful too)

Disabling the rp_filter should make it work, I don't see any other issues with your setup. Note, you have to do both 'all' and 'eth1' if you're using 2.6.31+, since they changed the meaning a little bit.
Code:
echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/eth1/rp_filter
 
Old 08-08-2011, 07:22 PM   #7
dyinman
LQ Newbie
 
Registered: Aug 2011
Posts: 2

Rep: Reputation: Disabled
Sorry this reply is late, but there's so little current reading out there on how to pull something like this off.

Did you ever get it working?

I have almost the exact same setup, although a little simpler, and I am unable to get it working either.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
monitoring traffic on specific port lildee Programming 2 10-03-2009 07:03 AM
How to allow/block application-specific outbound traffic? vansteen Linux - Networking 7 08-13-2009 10:56 AM
Tip: Loading specific gtk theme for a specific application Su-Shee Linux - Desktop 0 05-22-2008 01:59 PM
send signal to privileged application from unprivileged application aral Programming 5 10-27-2006 01:34 PM
logging traffic of specific ports Bug Linux - Security 1 06-15-2004 09:26 AM


All times are GMT -5. The time now is 03:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration