IPTables

NotAComputerGuy · 07-27-2013, 03:52 PM

I've tried to read as much as I can about firewalls and I think iptables can do what I want to do.

I want to ensure that transmission doesn't send traffic out through eth0 and only tun0.

I copied the following from a website which was talking about doing what I want to do:

Code:

sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission -d 192.168.0.100 -j ACCEPT

which works, but now I can't connect in to Transmission.

Also, how can I do similar, but use a program name instead of --uid-owner to ensure that Firefox and other programs don't go over the VPN?

Thanks

Ser Olmy · 07-27-2013, 10:16 PM

You can use firewall rules to prevent certain types of traffic from going out a certain interface, but that doesn't mean the packets will be automatically redirected to another interface.

Gateways/interfaces are selected based on information in the routing table, not by firewall rules. What you need is policy routing.

(The iptables "owner" match is deprecated, by the way.)

NotAComputerGuy · 07-28-2013, 02:10 AM

Is that where stuff like:

Code:

route add -net 10.0.0.0 netmask 255.0.0.0 dev tun0

comes into it?

Ser Olmy · 07-28-2013, 06:11 AM

It is, but as you can see, a route command has no reference to origin or type of traffic, just the destination.

route manipulates the main routing table. The ip route command, however, can create a number of alternate routing tables. You can then use iptables to "mark" packets of a certain type, and finally tie it all together by creating an IP rule (with the ip rule command) that says "packets marked with X should be processed by routing table Y".