Dynamically Selecting What Goes Through OpenVPN?

Ser Olmy · 08-03-2013, 09:44 AM

Quote:

Originally Posted by NotAComputerGuy

Is that about right? Just out of interest, why 55 and why 7?

Yes, that's correct. And the numbers 55 and 7 were chosen at random, they don't mean anything in particular.

Quote:

Originally Posted by NotAComputerGuy

I've followed this guide which gets Deluged to run at the system boot up through /etc/init.d, which works. It has a line in the script which states:

Code:

UMASK=022                     # Change this to 0 if running deluged as its own user

From what I understand, this is like "chmod". I don't understand what this has to do with running Deluged as it's own user, as surely it doesn't know who it is going to be run as?

The UMASK variable determines which permission bits to remove relative to 666 (rw-) when creating files, or 777 (rwx) when creating directories.

Deluge (and any other application) will run as the user who starts the executable. If you put a command to run Deluge in an init script, it will run as root (which may not be a very good idea).

There are several ways to run a program as a different user. One is to use the su command:

Code:

su - username -c "command"

Unless you're logged in as root, su will prompt you for the password of the user.

Another way is to change the ownership of the executable (if necessary) and set the SUID bit.

Code:

chown username /usr/local/bin/some_executable
chmod u+s /usr/local/bin/some_executable

Anyone can now run the program as username simply by starting it. This does not work for scripts, however.

There may be other options as well. Some distributions have a program called runuser which works in a similar way to su. The sudo command makes it possible to have a more fine-grained security policy, as you can control who is allowed to run a given executable as a certain user. Finally, the program itself may have a command line switch or configuration option that causes it to change the user it's running as.

Note that all the commands refer to the username, while the iptables rule refers to the UID. You can use the id command to find the UID of a user.

NotAComputerGuy · 08-03-2013, 10:30 AM

Quote:

Originally Posted by NotAComputerGuy

Ok, so deluged is now running as the user 'deluge' with a UID of 108.

Code:

iptables -t mangle -A OUTPUT -m owner --uid-owner 108 -j MARK --set-mark 55

Code:

ip rule add fwmark 55 table 7

Code:

ip route add table 7 0.0.0.0/0 via 192.168.0.1

Thank you for your kind help so far. So I've put those commands in. Is there a way to test it? Also, how should I make these changes permanent as I understand some things reset after a reboot.

Thanks

Ser Olmy · 08-03-2013, 11:36 AM

Quote:

Originally Posted by NotAComputerGuy

So I've put those commands in. Is there a way to test it?

You could run the traceroute command as the "deluge" user and verify that the packets are routed through the right gateway.

Code:

su deluge -c "traceroute -n 8.8.8.8"

Quote:

Originally Posted by NotAComputerGuy

Also, how should I make these changes permanent as I understand some things reset after a reboot.

Everything gets reset after a reboot, which is why settings are stored in various configuration files and applied by the init system at startup.

I don't know what would be the right file to put these settings in for your distribution, but most distributions have a file called rc.local which is supposed to be the last script to run during init (unless your distribution uses systemd, in which case all bets are off).

NotAComputerGuy · 08-03-2013, 12:19 PM

Quote:

Originally Posted by Ser Olmy

You could run the traceroute command as the "deluge" user and verify that the packets are routed through the right gateway.

Code:

su deluge -c "traceroute -n 8.8.8.8"

Rats. It doesn't work, and I think it's because I used:

Code:

adduser --disabled-password --system --no-create-home deluge

I've set a password for deluge now as root, but it says

Code:

sudo: traceroute -n 8.8.8.8: command not found

but it works fine as me.

Ser Olmy · 08-03-2013, 12:34 PM

Could be path related. Try changing -c "traceroute -n 8.8.8.8" to -c "/usr/bin/traceroute -n 8.8.8.8" (or whatever absolute path which traceroute returns).

Or it could be that ordinary users aren't allowed to run traceroute. What are the permissions on the traceroute executable?

NotAComputerGuy · 08-03-2013, 12:39 PM

Quote:

Originally Posted by Ser Olmy

Could be path related. Try changing -c "traceroute -n 8.8.8.8" to -c "/usr/bin/traceroute -n 8.8.8.8" (or whatever absolute path which traceroute returns).

Or it could be that ordinary users aren't allowed to run traceroute. What are the permissions on the traceroute executable?

Code:

lrwxrwxrwx 1 root root 33 May 25 16:32 /usr/sbin/traceroute -> /etc/alternatives/traceroute.sbin

Code:

lrwxrwxrwx 1 root root 22 May 25 16:32 /etc/alternatives/traceroute.sbin -> /usr/bin/traceroute.db

Alas, not working

Ser Olmy · 08-03-2013, 12:42 PM

OK, what does ls -l /usr/bin/traceroute.db return? Yet another symlink? (Just how far does the rabbithole go?)

NotAComputerGuy · 08-03-2013, 12:52 PM

Quote:

Originally Posted by Ser Olmy

OK, what does ls -l /usr/bin/traceroute.db return? Yet another symlink? (Just how far does the rabbithole go?)

Apologies, I did check that, it is a 'real' file

Quote:

-rwxr-xr-x 1 root root 52992 Jul 11 2012 /usr/bin/traceroute.db

It still returns either:

Code:

su deluge -c "/usr/bin/traceroute.db -n 8.8.8.8"
Password:

and then nothing but a new command line.

Code:

pi@raspbian ~ $ sudo deluge "traceroute -n 8.8.8.8"
sudo: deluge: command not found

Is there a way I can convert the user deluge into a non-system user so I can su into it?

Ser Olmy · 08-03-2013, 01:39 PM

Perhaps it would be easier to make a copy of the traceroute.db executable, change the owner to "deluge" and set the suid bit?

Code:

~$ cp /usr/sbin/traceroute traceroute.copy
~$ sudo chown deluge traceroute.copy
~$ sudo chmod u+s traceroute.copy
~$ ./traceroute.copy -n 8.8.8.8

NotAComputerGuy · 08-03-2013, 01:56 PM

Quote:

Originally Posted by Ser Olmy

Perhaps it would be easier to make a copy of the traceroute.db executable, change the owner to "deluge" and set the suid bit?

Code:

~$ cp /usr/sbin/traceroute traceroute.copy
~$ sudo chown deluge traceroute.copy
~$ sudo chmod u+s traceroute.copy
~$ ./traceroute.copy -n 8.8.8.8

That returns

Code:

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *

Ser Olmy · 08-03-2013, 02:01 PM

Strange. You don't even get a reply from the next-hop router.

What happens if you trace (using the "regular" traceroute executable) the route to one of the BBC servers that you've manually routed via the other gateway?

NotAComputerGuy · 08-03-2013, 02:08 PM

Quote:

Originally Posted by Ser Olmy

Strange. You don't even get a reply from the next-hop router.

What happens if you trace (using the "regular" traceroute executable) the route to one of the BBC servers that you've manually routed via the other gateway?

Code:

traceroute to 212.58.0.0 (212.58.0.0), 30 hops max, 60 byte packets
 1  192.168.0.1 (192.168.0.1)  0.904 ms  0.731 ms  0.516 ms
 2  * * *
 3  02770788.bb.sky.com (2.120.9.128)  17.454 ms  17.211 ms  17.073 ms
 4  te0-6-0-0.er10.thlon.ov.easynet.net (89.200.134.211)  10.549 ms  14.034 ms  13.803 ms
 5  * * *
 6  195.50.122.138 (195.50.122.138)  10.052 ms  15.001 ms  14.706 ms
 7  * * *
 8  ln-col-2-uls-2-2.turktelekom.com.tr (212.156.103.9)  62.535 ms  63.641 ms 212.156.103.125.static.turktelekom.com.tr (212.156.103.125)  69.027 ms
 9  81.212.221.177.static.turktelekom.com.tr (81.212.221.177)  63.203 ms  68.211 ms  70.477 ms
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Ser Olmy · 08-03-2013, 02:19 PM

So at the very least there should have been a response from 192.168.0.1. You should check the alternate routing table (ip route list table 7) and the associated IP rule (ip rule list).

eantoranz · 08-04-2013, 08:33 PM

the rule makes more sense like this:

Code:

ip route add table 7 default via 192.168.0.1

And yes, it looks ok to me.

Just so that it's clear. You don't have to create a mangle table. netfilter (or iptables, as people usually call it) defines a mangle table on each of the existing chains (input, output, prerouting, forward, postrouting).... I mean, you can name routing table 7 'mangle' if you want to, but it's not directly related to netfilter's mangling table.

NotAComputerGuy · 04-08-2014, 01:18 PM

Quote:

Originally Posted by NotAComputerGuy

As a side question, do most companies and websites have a whole range of IP addresses?

Code:

# Force iPlayer traffic through the local-network
up route add -net 212.58.0.0/16 gw 192.168.0.1
up route add -net 212.62.0.0/16 gw 192.168.0.1

Dragging up an old thread, but how would I achieve this with just a single IP address?

ddclient has the line

Code:

web=myip.dnsomatic.com

At the moment, ddclient sees my VPN address, as my traffic is routed through my VPN. I need to use something like the above to route ddclient's enquiry with myip.dnsomatic.com through my router rather than through my VPN.

Thanks