Per application routing
 

In a nutshell:

I have two interfaces connected to two different networks.
Both networks are connected to the internet.
Now I want to force the traffic of a single program through one of the two interfaces and route any other traffic through the other one.
I'm pretty sure this is possible, however I failed to find any way of doing this.


To clarify:

if1 is connected to lan1, if2 is connected to lan2.
bot lan1 and lan2 are connected to gateways that are connected to the internet.
appA is supposed to access the internet through lan1. Thus its traffic is supposed to be sent out through if1 and routed through lan1's gateway.
app* (where * == \w && * != A) is supposed to access the internet through lan2. Traffic is sent out through if2.

I thought of something similar to proxychains, that allows you to send an applications traffic through a specific proxy. Is there anything similar out there? Or is there some other possible way?

Thanks in advance!

you need to tell us more about these apps.. there are dozens of ways to distinguish one app form another, primarily port numbers....

The most basic method of doing this would be to match the pid of the process or, to simplify, run as a specific user and match the uid (this can be done with the owner module for netfilter). You can then proceed in two manners, the first, and more crude, is to use the aforementioned iptables “owner” matching module with the “ROUTE” target. The second method is more elegant (IMHO), and you would use the same “owner” module as before, except now, use netfilter’s “MARK” functionality to mark the packets with whatever custom mark you wish to use. The marked packets will couple nicely with iproute2 and friends.

Also, if you have not already read this yet, I suggest you do so to get a basic dual-uplink network setup.

Thanks to both of you!
@acid_kewpie: Yes, I'm sure there are many ways. However ports are unfortunately not an option to me.

I took osor's advice and created a user to run appA. Thereupon I spent a few hours finding out that ROUTE is not a standard target, patching the kernel, compiling it, booting it, patching iptables and getting it to recompile under Gentoo.
So far everything went quite smoothly.
I agree with you that the second option would be more classy - however it would be kind of overkill for my purposes. Thats why I stuck with the ROUTE target. I tried to find out about the syntax... And I thought I managed to understand everything (I'm quite new to iptables. Or lets say - quite new to anything that is not done with -j DROP).

So this is what my rule looks like:

iptables -A PREROUTING -t mangle -m owner --uid-owner 1001 -j ROUTE --gw 192.168.0.1


I decided to use the gateway to specify the route. Of course the interface should work as well.
However iptables returns:
iptables: Invalid argument

This is where the fun starts. I tried about everything and it won't change.
Therefore I've come to the point where I expect some really stupid mistake in there. Could one of the kind guys out there please guide me towards my mistake?

Thanks!

IIRC, the owner module is only usable in an OUTPUT chain.

Yes, that was the problem. Thanks a lot! Works like a charm now.