From: Jan Klod <janklodvan@gmail.com>
To: netfilter@vger.kernel.org
Subject: Re: VPN (interface) access for and all traffic through from single user -- how to do it?
Date: Fri, 22 Aug 2008 23:40:23 +0300 [thread overview]
Message-ID: <200808222340.23688.janklodvan@gmail.com> (raw)
In-Reply-To: <48A865A3.1010307@riverviewtech.net>
Well, I got it to work in a mode, where all traffic is going through VPN like
this:
ip route add $IP_VPN_GATEWAY via $IP_LOCAL_GATEWAY dev eth1
ip route del $IP_REMOTE_VPN_ENDPOINT dev ppp0 src $IP_LOCAL_VPN_ENDPOINT
ip route del default via $IP_LOCAL_GATEWAY dev eth1 && ip route add default
via $IP_VPN_GATEWAY dev ppp0
But is not as nice as I would like.
I tried this to achieve my initial goal -- ppp0 for particular user:
echo localIP_VPN = $1
echo remoteIP_VPN = IP_VPN_GATEWAY = $2
echo real interface = $3
ip rule add from all fwmark 1 table net
ip rule add from all fwmark 2 table net-2111
ip route add table net default via $2 dev ppp0
ip route add table net-2111 default via 0.0.0.0 dev $3
ip route del $2 dev ppp0 src $1
ip route flush cache
iptables -t mangle -A OUTPUT -m mark --mark 1 -j ACCEPT
iptables -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT
iptables -t mangle -A OUTPUT -m mark ! --mark 1 -m owner --uid-owner
articles -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -d $1 -m mark ! --mark 2 -j
MARK --set-mark 2
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source $1
But that just didn't worked somehow. Please take a closer look at previous
commands and give some advices about if that is what I should do...
As you see, I have two tables, so I hope to "take out" outgoing from user
through ppp0 and forward replies back to eth1, which, I believe is listened
to, when is default in route main table.
Jan
prev parent reply other threads:[~2008-08-22 20:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-15 9:55 VPN (interface) access for and all traffic through from single user -- how to do it? Jan Klod
2008-08-15 15:29 ` Grant Taylor
2008-08-15 16:14 ` Jan Klod
2008-08-15 16:28 ` Grant Taylor
2008-08-15 16:19 ` Jan Klod
[not found] ` <200808152212.59882.janklodvan@gmail.com>
[not found] ` <48A5F9E2.5080206@riverviewtech.net>
2008-08-16 20:47 ` Jan Klod
2008-08-17 4:30 ` Michael Alaimo
2008-08-17 5:01 ` Grant Taylor
2008-08-21 13:32 ` active interface? Jan Klod
2008-08-21 13:42 ` Jan Engelhardt
2008-08-21 14:27 ` Grant Taylor
2008-08-17 4:31 ` VPN (interface) access for and all traffic through from single user -- how to do it? Grant Taylor
2008-08-17 11:20 ` Jan Klod
2008-08-17 17:53 ` Grant Taylor
2008-08-22 20:40 ` Jan Klod [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200808222340.23688.janklodvan@gmail.com \
--to=janklodvan@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox