Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
08-03-2013, 10:44 AM
|
#16
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Quote:
Originally Posted by NotAComputerGuy
Is that about right? Just out of interest, why 55 and why 7?
|
Yes, that's correct. And the numbers 55 and 7 were chosen at random, they don't mean anything in particular.
Quote:
Originally Posted by NotAComputerGuy
I've followed this guide which gets Deluged to run at the system boot up through /etc/init.d, which works. It has a line in the script which states:
Code:
UMASK=022 # Change this to 0 if running deluged as its own user
From what I understand, this is like "chmod". I don't understand what this has to do with running Deluged as it's own user, as surely it doesn't know who it is going to be run as?
|
The UMASK variable determines which permission bits to remove relative to 666 (rw-) when creating files, or 777 (rwx) when creating directories.
Deluge (and any other application) will run as the user who starts the executable. If you put a command to run Deluge in an init script, it will run as root (which may not be a very good idea).
There are several ways to run a program as a different user. One is to use the su command:
Code:
su - username -c "command"
Unless you're logged in as root, su will prompt you for the password of the user.
Another way is to change the ownership of the executable (if necessary) and set the SUID bit.
Code:
chown username /usr/local/bin/some_executable
chmod u+s /usr/local/bin/some_executable
Anyone can now run the program as username simply by starting it. This does not work for scripts, however.
There may be other options as well. Some distributions have a program called runuser which works in a similar way to su. The sudo command makes it possible to have a more fine-grained security policy, as you can control who is allowed to run a given executable as a certain user. Finally, the program itself may have a command line switch or configuration option that causes it to change the user it's running as.
Note that all the commands refer to the username, while the iptables rule refers to the UID. You can use the id command to find the UID of a user.
|
|
1 members found this post helpful.
|
08-03-2013, 11:30 AM
|
#17
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by NotAComputerGuy
Ok, so deluged is now running as the user 'deluge' with a UID of 108.
Code:
iptables -t mangle -A OUTPUT -m owner --uid-owner 108 -j MARK --set-mark 55
Code:
ip rule add fwmark 55 table 7
Code:
ip route add table 7 0.0.0.0/0 via 192.168.0.1
|
Thank you for your kind help so far. So I've put those commands in. Is there a way to test it? Also, how should I make these changes permanent as I understand some things reset after a reboot.
Thanks
Last edited by NotAComputerGuy; 08-03-2013 at 12:26 PM.
Reason: Tidied up tags and removed needless words
|
|
|
08-03-2013, 12:36 PM
|
#18
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Quote:
Originally Posted by NotAComputerGuy
So I've put those commands in. Is there a way to test it?
|
You could run the traceroute command as the "deluge" user and verify that the packets are routed through the right gateway.
Code:
su deluge -c "traceroute -n 8.8.8.8"
Quote:
Originally Posted by NotAComputerGuy
Also, how should I make these changes permanent as I understand some things reset after a reboot.
|
Everything gets reset after a reboot, which is why settings are stored in various configuration files and applied by the init system at startup.
I don't know what would be the right file to put these settings in for your distribution, but most distributions have a file called rc.local which is supposed to be the last script to run during init (unless your distribution uses systemd, in which case all bets are off).
|
|
|
08-03-2013, 01:19 PM
|
#19
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
You could run the traceroute command as the "deluge" user and verify that the packets are routed through the right gateway.
Code:
su deluge -c "traceroute -n 8.8.8.8"
|
Rats. It doesn't work, and I think it's because I used:
Code:
adduser --disabled-password --system --no-create-home deluge
I've set a password for deluge now as root, but it says
Code:
sudo: traceroute -n 8.8.8.8: command not found
but it works fine as me.
|
|
|
08-03-2013, 01:34 PM
|
#20
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Could be path related. Try changing -c "traceroute -n 8.8.8.8" to -c "/usr/bin/traceroute -n 8.8.8.8" (or whatever absolute path which traceroute returns).
Or it could be that ordinary users aren't allowed to run traceroute. What are the permissions on the traceroute executable?
|
|
|
08-03-2013, 01:39 PM
|
#21
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
Could be path related. Try changing -c "traceroute -n 8.8.8.8" to -c "/usr/bin/traceroute -n 8.8.8.8" (or whatever absolute path which traceroute returns).
Or it could be that ordinary users aren't allowed to run traceroute. What are the permissions on the traceroute executable?
|
Code:
lrwxrwxrwx 1 root root 33 May 25 16:32 /usr/sbin/traceroute -> /etc/alternatives/traceroute.sbin
Code:
lrwxrwxrwx 1 root root 22 May 25 16:32 /etc/alternatives/traceroute.sbin -> /usr/bin/traceroute.db
Alas, not working
|
|
|
08-03-2013, 01:42 PM
|
#22
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
OK, what does ls -l /usr/bin/traceroute.db return? Yet another symlink? (Just how far does the rabbithole go?)
|
|
|
08-03-2013, 01:52 PM
|
#23
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
OK, what does ls -l /usr/bin/traceroute.db return? Yet another symlink? (Just how far does the rabbithole go?)
|
Apologies, I did check that, it is a 'real' file
Quote:
-rwxr-xr-x 1 root root 52992 Jul 11 2012 /usr/bin/traceroute.db
|
It still returns either:
Code:
su deluge -c "/usr/bin/traceroute.db -n 8.8.8.8"
Password:
and then nothing but a new command line.
Code:
pi@raspbian ~ $ sudo deluge "traceroute -n 8.8.8.8"
sudo: deluge: command not found
Is there a way I can convert the user deluge into a non-system user so I can su into it?
|
|
|
08-03-2013, 02:39 PM
|
#24
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Perhaps it would be easier to make a copy of the traceroute.db executable, change the owner to "deluge" and set the suid bit?
Code:
~$ cp /usr/sbin/traceroute traceroute.copy
~$ sudo chown deluge traceroute.copy
~$ sudo chmod u+s traceroute.copy
~$ ./traceroute.copy -n 8.8.8.8
|
|
|
08-03-2013, 02:56 PM
|
#25
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
Perhaps it would be easier to make a copy of the traceroute.db executable, change the owner to "deluge" and set the suid bit?
Code:
~$ cp /usr/sbin/traceroute traceroute.copy
~$ sudo chown deluge traceroute.copy
~$ sudo chmod u+s traceroute.copy
~$ ./traceroute.copy -n 8.8.8.8
|
That returns
Code:
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
|
|
|
08-03-2013, 03:01 PM
|
#26
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Strange. You don't even get a reply from the next-hop router.
What happens if you trace (using the "regular" traceroute executable) the route to one of the BBC servers that you've manually routed via the other gateway?
|
|
|
08-03-2013, 03:08 PM
|
#27
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by Ser Olmy
Strange. You don't even get a reply from the next-hop router.
What happens if you trace (using the "regular" traceroute executable) the route to one of the BBC servers that you've manually routed via the other gateway?
|
Code:
traceroute to 212.58.0.0 (212.58.0.0), 30 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 0.904 ms 0.731 ms 0.516 ms
2 * * *
3 02770788.bb.sky.com (2.120.9.128) 17.454 ms 17.211 ms 17.073 ms
4 te0-6-0-0.er10.thlon.ov.easynet.net (89.200.134.211) 10.549 ms 14.034 ms 13.803 ms
5 * * *
6 195.50.122.138 (195.50.122.138) 10.052 ms 15.001 ms 14.706 ms
7 * * *
8 ln-col-2-uls-2-2.turktelekom.com.tr (212.156.103.9) 62.535 ms 63.641 ms 212.156.103.125.static.turktelekom.com.tr (212.156.103.125) 69.027 ms
9 81.212.221.177.static.turktelekom.com.tr (81.212.221.177) 63.203 ms 68.211 ms 70.477 ms
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
|
|
|
08-03-2013, 03:19 PM
|
#28
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
So at the very least there should have been a response from 192.168.0.1. You should check the alternate routing table (ip route list table 7) and the associated IP rule (ip rule list).
|
|
1 members found this post helpful.
|
08-04-2013, 09:33 PM
|
#29
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Rep:
|
the rule makes more sense like this:
Code:
ip route add table 7 default via 192.168.0.1
And yes, it looks ok to me.
Just so that it's clear. You don't have to create a mangle table. netfilter (or iptables, as people usually call it) defines a mangle table on each of the existing chains (input, output, prerouting, forward, postrouting).... I mean, you can name routing table 7 'mangle' if you want to, but it's not directly related to netfilter's mangling table.
|
|
1 members found this post helpful.
|
04-08-2014, 02:18 PM
|
#30
|
Member
Registered: Jun 2012
Distribution: Linux Mint - Debian Edition
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by NotAComputerGuy
As a side question, do most companies and websites have a whole range of IP addresses?
Code:
# Force iPlayer traffic through the local-network
up route add -net 212.58.0.0/16 gw 192.168.0.1
up route add -net 212.62.0.0/16 gw 192.168.0.1
|
Dragging up an old thread, but how would I achieve this with just a single IP address?
ddclient has the line
Code:
web=myip.dnsomatic.com
At the moment, ddclient sees my VPN address, as my traffic is routed through my VPN. I need to use something like the above to route ddclient's enquiry with myip.dnsomatic.com through my router rather than through my VPN.
Thanks
Last edited by NotAComputerGuy; 04-08-2014 at 02:21 PM.
Reason: For clarification
|
|
|
All times are GMT -5. The time now is 08:58 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|