Re: owner based routing

Re: owner based routing

[Ignatich]

Hello,

> The mangle table OUTPUT chain is consulted before routing.
>
> root@room101:~# iptables -vt mangle -A OUTPUT -m owner --uid-owner rob0 -j MARK --set-mark 0x80
> MARK  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  OWNER UID match 1000 MARK set 0x80
>
> Did you try this?

Yes, i overlooked this. Thank you very much, it solved my problem.

-- 
 Ignatich                          mailto:ignatich@gmail.com

Re: owner based routing

[Ignatich]

Hello,

dr> On Tuesday 2005-October-11 08:57, Ignatich wrote:
>> Since ipt_owner does not work in PREROUTING chain and fwmark is
>> pointless, I thought that ipt_ROUTE from p-o-m can help me.

dr> Why is fwmark pointless?

>> Any ideas how to solve my problem?

dr> I would try -j MARK --set-mark $UID for your -m owner matched packets
dr> and use a ip rule / ip route combination. I've not done this, but I
dr> don't see why it wouldn't work.

It's pointless because ipt_owner does not work in PREROUTING table. So
even if I mark packet routing decision is already made.

-- 
 Ignatich                          mailto:ignatich@gmail.com

Re: owner based routing

[/dev/rob0]

On Tuesday 2005-October-11 09:25, Ignatich wrote:
> dr> Why is fwmark pointless?
>
> It's pointless because ipt_owner does not work in PREROUTING table.
> So even if I mark packet routing decision is already made.

The mangle table OUTPUT chain is consulted before routing.

root@room101:~# iptables -vt mangle -A OUTPUT -m owner --uid-owner rob0 -j MARK --set-mark 0x80
MARK  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  OWNER UID match 1000 MARK set 0x80

Did you try this?
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

owner based routing

[Ignatich]

Hello,

I have a following problem. My goal is to allow traffic originating
from specific user/group to be routed via different gateway.

Here's my setup:
eth0 - default internet interface, ip z.z.z.z
eth1 - LAN, ip y.y.y.y

In LAN I have a hardware ADSL router with ip x.x.x.x.

Since ipt_owner does not work in PREROUTING chain and fwmark is
pointless, I thought that ipt_ROUTE from p-o-m can help me.

Here's what I did:

iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
ROUTE --gw x.x.x.x --oif eth1

But it did not work. I belive this happened because matched packets
still had z.z.z.z as their source address.

So i tried that:

iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
ROUTE --gw x.x.x.x --oif eth1 --continue
iptables -t nat -A POSTROUTING -o eth1 -m owner --gid-owner adsl -j
SNAT --to-source y.y.y.y

But still no luck. :(

Any ideas how to solve my problem?

-- 
 Ignatich                          mailto:ignatich@gmail.com

Re: owner based routing

[/dev/rob0]

On Tuesday 2005-October-11 08:57, Ignatich wrote:
> Since ipt_owner does not work in PREROUTING chain and fwmark is
> pointless, I thought that ipt_ROUTE from p-o-m can help me.

Why is fwmark pointless?

> Any ideas how to solve my problem?

I would try -j MARK --set-mark $UID for your -m owner matched packets 
and use a ip rule / ip route combination. I've not done this, but I 
don't see why it wouldn't work.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: owner based routing

[Henrik Nordstrom]

On Tue, 11 Oct 2005, Ignatich wrote:

> Since ipt_owner does not work in PREROUTING chain and fwmark is
> pointless, I thought that ipt_ROUTE from p-o-m can help me.

Using ipt_owner in PREROUTING is pointless as PREROUTING never sees any 
packets sent by a local application.

PREROUTING sees packets coming in from the network before any decision on 
what to do with the packet has been made.

ipt_owner can be used in OUTPUT/INPUT only (at least I think it can be 
used in INPUT, maybe not..).

CONNMARK may be what you are looking for. Allows you to mark the 
connection in OUTPUT and then reuse this mark in PREROUTING when packets 
comes back on the same connection.

> Here's what I did:
>
> iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
> ROUTE --gw x.x.x.x --oif eth1
>
> But it did not work. I belive this happened because matched packets
> still had z.z.z.z as their source address.

You need to SNAT/MASQUERADE them.

> So i tried that:
>
> iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
> ROUTE --gw x.x.x.x --oif eth1 --continue
> iptables -t nat -A POSTROUTING -o eth1 -m owner --gid-owner adsl -j
> SNAT --to-source y.y.y.y

Any specific reason why you have the owner match in POSTROUTING? Shouldn't 
all traffic going out on eth1 be NAT:ed?

Note: You generally also need to use policy routing to keep this traffic 
on eth1.

Regards
Henrik

owner based routing

[Ignatich]

Hello netfilter developers,

I have a following problem. My linux server has two interfaces: the first
connected to internet and the second connected to LAN. In LAN I have
another hardware ADSL router connected to another (much slower) ISP.

I want LAN users to use linux server as internet gateway and
still be able to use ADSL link to download files via http/ftp/bt on
my server in background.

At first glance I thought that ipt_owner is all I need, but
unfortunately it only works in OUTPUT chain (and in INPUT and
POSTROUTING chain if I apply owner-socketlookup patch from
patch-o-matic, but that doesn't help here).

Is it possible to configure owner-based routing via some other way? If
not then how much work required to make ipt_owner work in PREROUTING
table? Does netfilter team plan to add such functionality? I'm no
linux kernel programmer but experienced with C so I might be able to
help if that's not very complicated.

-- 
 Ignatich                          mailto:ignatich@gmail.com

Re: owner based routing

[Patrick Schaaf]

> Is it possible to configure owner-based routing via some other way?

It is possible to solve what you described without any reference
to who owns which processes on the router...

You want to learn about policy routing. Read all of www.lartc.org.
When you still have problems, ask a _users_ mailing list or newsgroup.

Roughly, you want to formulate a solution to your task which is based on
looking at IP addresses, and network interface names, only.

The best you can do with owner, and the overall concept of a
process-identity-based firewall functionality, is to forget about it.

> If  not then how much work required to make ipt_owner work in PREROUTING
> table?

Very much work. At PREROUTING, we don't even know whether the packet
will be for the local machine or another one behind the router...

> Does netfilter team plan to add such functionality?

As far as I know, no. To the contrary: functionality is removed.

> I'm no
> linux kernel programmer but experienced with C so I might be able to
> help if that's not very complicated.

It is very complicated.

When processing packets in the kernel, especially for receive, the concept
of a user level process does not make much sense, if you look at it in
detail. At the moment the packet is received (and netfiltered), there
isn't even a guarantee that the process that will ultimately handle it,
already exists!

best regards
  Patrick