Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there a relatively easy way to selecting what goes through a VPN and what doesn't? Some times I would like my browser traffic to go through a VPN to avoid censorship, but other times I need the security of a 'direct' connection. Also, some applications like Deluge should never go through my VPN and others should only go through a VPN?
Is there a way to specify specific programs with routing? I don't really have IP addresses to route the traffic to, which is what route seems to comprise of.
You can route based on other criteria than destination address, although indirectly in some cases. Look into these topics:
marking packets with iptables using the "mangle" table
creating alternate routing tables with the ip route command
creating ip rules with the ip rule command
If you provide a specific scenario, I may be able to come up with an example.
Unfortunately the man page for iptables contains lots of jargon for me. Talking about chains, packets, tables, etc.
Scenario: My VPN often uses tun0 or 10.0.0.1 onwards, my normal LAN uses eth0 on 192.168.0.1 (my router). "get_iplayer" won't download over my works VPN as they're not UK based for their IT centre, so I'd like that to be routed through my normal gateway. Thank you very much. Please do let me know what other information you need.
So your system uses the tun0 interface for all traffic while the VPN connection is active, but you'd like iPlayer to use 192.168.0.1 instead, right?
Since iPlayer is just an application/plugin accessing the BBC media servers, you should in fact be able to do this with simple routing. A quick Google search seems to indicate that the BBC uses the subnets 212.58.0.0/16 and 212.62.0.0/16, so you could try this:
Whilst that is fantastically simple and helpful, I think that was a bad example as its limited to a single range of IPs. Let's say Transmission, my bit torrent client?
As a side question, do most companies and websites have a whole range of IP addresses?
Edit: I've just read the these changes aren't permanent, and to save them following a reboot, I need to add stuff to /etc/network/interfaces. I added this as adapted from here, does it look ok and correct? It doesn't look like it will break my network and leave me without internet?
Code:
# Force iPlayer traffic through the local-network
up route add -net 212.58.0.0/16 gw 192.168.0.1
up route add -net 212.62.0.0/16 gw 192.168.0.1
Last edited by NotAComputerGuy; 08-02-2013 at 12:09 AM.
Reason: Further information request and detail on saving changes
Bittorrent will probably use a prefined protocol (udp/tcp) and port, you can use that combination to mark it in MANGLE of PREROUTING with iptables and then set a routing rule to route traffic with said mark to go through GW x.
from iptable's man page:
Code:
MARK
This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.
MARK
This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.
Individually I understand all but a few of those words. Combine them and I have no idea what it's talking about. I understand from research that data goes in 'packets', and if these packets are numbered then they are TCP, otherwise they arrive when they arrive in no particular order then it'd UDP. I don't know how to tell if a program is TCP or UDP. Depending what you Google depends on what is used for Torrents, TCP or UDP.
Individually I understand all but a few of those words. Combine them and I have no idea what it's talking about. I understand from research that data goes in 'packets', and if these packets are numbered then they are TCP, otherwise they arrive when they arrive in no particular order then it'd UDP. I don't know how to tell if a program is TCP or UDP. Depending what you Google depends on what is used for Torrents, TCP or UDP.
Not quite. IP packets contain a header with a source address, a destination address, a protocol type and a few other options. There are a number of IP (sub)protocols (take a look in /etc/protocols for an incomplete list), and the two most popular are TCP and UDP. Another protocol you're probably familiar with is ICMP, used to send Echo Request packets (ping) and those dreaded "destination host unreachable" messages, among other things.
If the IP header identifies the packet as a TCP packet, the IP header will be followed by a TCP header. TCP packets have a source and a destination port, a number between 1 and 65535. TCP-based server applications listen on a specific port, and client requests will also originate from a port, usually more or less randomly selected. UDP works much the same way, but without all the error-detection and retransmission mechanisms found in TCP.
iptables can manipulate packets based on header information. While routing usually deals exclusively with destination addresses, it is possible to set up multiple routing tables and use iptables and ip rule to select the right table based on information in the packet, like source or destination port numbers.
Here's an example that sets up a packet marking rule in the "mangle" table for all packets coming from TCP port 10000, creates an alternate routing table that sends all traffic to 192.168.0.1, and then creates an IP rule directing all marked packets to the alternate table:
Code:
# Mark all packets coming from TCP port 10000. These "marks" exist
# only as labels inside the Linux kernel, and a "mark" by itself
# does nothing. The OUTPUT chain deals with locally generated
# packets.
iptables -t mangle -A OUTPUT -p tcp --sport 10000 -j MARK --set-mark 55
# Create a routing table called "7" directing all packets to
# 192.168.0.1. The table will not be used until an IP rule is
# created.
ip route add table 7 0.0.0.0/0 via 192.168.0.1
# Create an IP rule directing all marked packets to table 7.
ip rule add fwmark 55 table 7
A Bittorrent application is both a server and a client, as Bittorrent is a peer-to-peer protocol. Another thing that complicates the picture is that there is no dedicated "Bittorrent" TCP or UDP port number; it can use ports in the entire port range. It may listen for incoming connections on a specific port, but there's no guarantee that the application will use this port as the source port for all outgoing requests. If it does, then the above example should work if you change the port number to whichever port Transmission is using. If it doesn't, another selection criteria must be used.
It's not possible to filter/select packets based on the name of the process that generated them, and a process name is not unique anyway. It used to be possible to select packets based on the process ID
Code:
iptables -t mangle -A OUTPUT -m owner --pid-owner XXX -j MARK --set-mark 55
This match type is deprecated as it didn't work properly and couldn't be fixed. Besides, the PID of a process will be different each time the application is started, so it wouldn't really be terribly useful anyway.
A possible solution would be to start the application as a different (perhaps dedicated) user and use the "--uid-owner" match:
Code:
iptables -t mangle -A OUTPUT -m owner --uid-owner 2000 -j MARK --set-mark 55
This way, packets from any application started by that particular user will be routed to the alternate gateway.
Ok, so deluged is now running as the user 'deluge' with a UID of 108.
If I want to mark all packets, TCP or UDP packets owned by deluge, I think I do:
Code:
iptables -t mangle -A OUTPUT -m owner --uid-owner 108 -j MARK --set-mark 55
This marks it to go through the 'mangle' table. So to create a mangle table I need to do this:
Code:
ip rule add fwmark 55 table 7
And then I need to do something with all the traffic sent through that table. Which in my case, I want to go through my local router, and therefore I do this:
Code:
ip route add table 7 0.0.0.0/0 via 192.168.0.1
Does that look right? Is my logic correct?
Last edited by NotAComputerGuy; 08-03-2013 at 09:35 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
