Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-21-2013, 02:13 PM
|
#1
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Rep:
|
Dynamically Selecting What Goes Through OpenVPN?
Is there a relatively easy way to selecting what goes through a VPN and what doesn't? Some times I would like my browser traffic to go through a VPN to avoid censorship, but other times I need the security of a 'direct' connection. Also, some applications like Deluge should never go through my VPN and others should only go through a VPN?
Thanks
|
|
|
07-22-2013, 09:54 AM
|
#2
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Rep:
|
I think you should play a little bit with routing (iproute2 stuff + iptables)
|
|
|
08-01-2013, 01:24 PM
|
#3
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Is there a way to specify specific programs with routing? I don't really have IP addresses to route the traffic to, which is what route seems to comprise of.
|
|
|
08-01-2013, 01:37 PM
|
#4
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
That's where iptables comes into the picture.
You can route based on other criteria than destination address, although indirectly in some cases. Look into these topics: - marking packets with iptables using the "mangle" table
- creating alternate routing tables with the ip route command
- creating ip rules with the ip rule command
If you provide a specific scenario, I may be able to come up with an example.
|
|
|
08-01-2013, 01:50 PM
|
#5
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Rep:
|
You can use ports to tell how to route traffic... plus a lot of other criteria. man iptables.
|
|
|
08-01-2013, 02:04 PM
|
#6
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
That's where iptables comes into the picture.
You can route based on other criteria than destination address, although indirectly in some cases. Look into these topics: - marking packets with iptables using the "mangle" table
- creating alternate routing tables with the ip route command
- creating ip rules with the ip rule command
If you provide a specific scenario, I may be able to come up with an example.
|
Unfortunately the man page for iptables contains lots of jargon for me. Talking about chains, packets, tables, etc.
Scenario: My VPN often uses tun0 or 10.0.0.1 onwards, my normal LAN uses eth0 on 192.168.0.1 (my router). "get_iplayer" won't download over my works VPN as they're not UK based for their IT centre, so I'd like that to be routed through my normal gateway. Thank you very much. Please do let me know what other information you need.
|
|
|
08-01-2013, 02:30 PM
|
#7
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
So your system uses the tun0 interface for all traffic while the VPN connection is active, but you'd like iPlayer to use 192.168.0.1 instead, right?
Since iPlayer is just an application/plugin accessing the BBC media servers, you should in fact be able to do this with simple routing. A quick Google search seems to indicate that the BBC uses the subnets 212.58.0.0/16 and 212.62.0.0/16, so you could try this:
Code:
route add -net 212.58.0.0/16 gw 192.168.0.1
route add -net 212.62.0.0/16 gw 192.168.0.1
|
|
1 members found this post helpful.
|
08-01-2013, 03:00 PM
|
#8
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Rep:
|
or like this:
Code:
ip route add 212.58.0.0/16 via 192.168.0.1
ip route add 212.62.0.0/16 via 192.168.0.1
Fair enough?
|
|
1 members found this post helpful.
|
08-01-2013, 11:48 PM
|
#9
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Whilst that is fantastically simple and helpful, I think that was a bad example as its limited to a single range of IPs. Let's say Transmission, my bit torrent client?
As a side question, do most companies and websites have a whole range of IP addresses?
Edit: I've just read the these changes aren't permanent, and to save them following a reboot, I need to add stuff to /etc/network/interfaces. I added this as adapted from here, does it look ok and correct? It doesn't look like it will break my network and leave me without internet?
Code:
# Force iPlayer traffic through the local-network
up route add -net 212.58.0.0/16 gw 192.168.0.1
up route add -net 212.62.0.0/16 gw 192.168.0.1
Last edited by NotAComputerGuy; 08-02-2013 at 12:09 AM.
Reason: Further information request and detail on saving changes
|
|
|
08-02-2013, 08:46 AM
|
#10
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Rep:
|
Bittorrent will probably use a prefined protocol (udp/tcp) and port, you can use that combination to mark it in MANGLE of PREROUTING with iptables and then set a routing rule to route traffic with said mark to go through GW x.
from iptable's man page:
Code:
MARK
This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.
|
|
|
08-02-2013, 10:51 AM
|
#11
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by eantoranz
from iptable's man page:
Code:
MARK
This target is used to set the Netfilter mark value associated with the packet. It can, for example, be used in conjunction with routing based on fwmark (needs iproute2). If you plan on doing so, note that the mark needs to be set in the PREROUTING chain of the mangle table to affect routing. The mark field is 32 bits wide.
|
Individually I understand all but a few of those words. Combine them and I have no idea what it's talking about. I understand from research that data goes in 'packets', and if these packets are numbered then they are TCP, otherwise they arrive when they arrive in no particular order then it'd UDP. I don't know how to tell if a program is TCP or UDP. Depending what you Google depends on what is used for Torrents, TCP or UDP.
|
|
|
08-02-2013, 11:24 AM
|
#12
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Rep:
|
You could set one (or many.... if there is more than one port) rule for UDP and another for TCP so you can cover both types of traffic.
|
|
1 members found this post helpful.
|
08-02-2013, 11:48 AM
|
#13
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Quote:
Originally Posted by NotAComputerGuy
Individually I understand all but a few of those words. Combine them and I have no idea what it's talking about. I understand from research that data goes in 'packets', and if these packets are numbered then they are TCP, otherwise they arrive when they arrive in no particular order then it'd UDP. I don't know how to tell if a program is TCP or UDP. Depending what you Google depends on what is used for Torrents, TCP or UDP.
|
Not quite. IP packets contain a header with a source address, a destination address, a protocol type and a few other options. There are a number of IP (sub)protocols (take a look in /etc/protocols for an incomplete list), and the two most popular are TCP and UDP. Another protocol you're probably familiar with is ICMP, used to send Echo Request packets (ping) and those dreaded "destination host unreachable" messages, among other things.
If the IP header identifies the packet as a TCP packet, the IP header will be followed by a TCP header. TCP packets have a source and a destination port, a number between 1 and 65535. TCP-based server applications listen on a specific port, and client requests will also originate from a port, usually more or less randomly selected. UDP works much the same way, but without all the error-detection and retransmission mechanisms found in TCP.
iptables can manipulate packets based on header information. While routing usually deals exclusively with destination addresses, it is possible to set up multiple routing tables and use iptables and ip rule to select the right table based on information in the packet, like source or destination port numbers.
Here's an example that sets up a packet marking rule in the "mangle" table for all packets coming from TCP port 10000, creates an alternate routing table that sends all traffic to 192.168.0.1, and then creates an IP rule directing all marked packets to the alternate table:
Code:
# Mark all packets coming from TCP port 10000. These "marks" exist
# only as labels inside the Linux kernel, and a "mark" by itself
# does nothing. The OUTPUT chain deals with locally generated
# packets.
iptables -t mangle -A OUTPUT -p tcp --sport 10000 -j MARK --set-mark 55
# Create a routing table called "7" directing all packets to
# 192.168.0.1. The table will not be used until an IP rule is
# created.
ip route add table 7 0.0.0.0/0 via 192.168.0.1
# Create an IP rule directing all marked packets to table 7.
ip rule add fwmark 55 table 7
A Bittorrent application is both a server and a client, as Bittorrent is a peer-to-peer protocol. Another thing that complicates the picture is that there is no dedicated "Bittorrent" TCP or UDP port number; it can use ports in the entire port range. It may listen for incoming connections on a specific port, but there's no guarantee that the application will use this port as the source port for all outgoing requests. If it does, then the above example should work if you change the port number to whichever port Transmission is using. If it doesn't, another selection criteria must be used.
It's not possible to filter/select packets based on the name of the process that generated them, and a process name is not unique anyway. It used to be possible to select packets based on the process ID
Code:
iptables -t mangle -A OUTPUT -m owner --pid-owner XXX -j MARK --set-mark 55
This match type is deprecated as it didn't work properly and couldn't be fixed. Besides, the PID of a process will be different each time the application is started, so it wouldn't really be terribly useful anyway.
A possible solution would be to start the application as a different (perhaps dedicated) user and use the "--uid-owner" match:
Code:
iptables -t mangle -A OUTPUT -m owner --uid-owner 2000 -j MARK --set-mark 55
This way, packets from any application started by that particular user will be routed to the alternate gateway.
Last edited by Ser Olmy; 08-02-2013 at 11:50 AM.
|
|
1 members found this post helpful.
|
08-03-2013, 02:56 AM
|
#14
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Wow that is complicated. What would you suggest the best (hardest to mess up) avenue to go down be?
Edit: See below for some form of very newbie newbielike logic.
Last edited by NotAComputerGuy; 08-03-2013 at 09:38 AM.
|
|
|
08-03-2013, 07:02 AM
|
#15
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Ok, so deluged is now running as the user 'deluge' with a UID of 108.
If I want to mark all packets, TCP or UDP packets owned by deluge, I think I do:
Code:
iptables -t mangle -A OUTPUT -m owner --uid-owner 108 -j MARK --set-mark 55
This marks it to go through the 'mangle' table. So to create a mangle table I need to do this:
Code:
ip rule add fwmark 55 table 7
And then I need to do something with all the traffic sent through that table. Which in my case, I want to go through my local router, and therefore I do this:
Code:
ip route add table 7 0.0.0.0/0 via 192.168.0.1
Does that look right? Is my logic correct?
Last edited by NotAComputerGuy; 08-03-2013 at 09:35 AM.
|
|
|
All times are GMT -5. The time now is 11:39 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|