owner based routing

owner based routing

[Ignatich]

Hello,

I have a following problem. My goal is to allow traffic originating
from specific user/group to be routed via different gateway.

Here's my setup:
eth0 - default internet interface, ip z.z.z.z
eth1 - LAN, ip y.y.y.y

In LAN I have a hardware ADSL router with ip x.x.x.x.

Since ipt_owner does not work in PREROUTING chain and fwmark is
pointless, I thought that ipt_ROUTE from p-o-m can help me.

Here's what I did:

iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
ROUTE --gw x.x.x.x --oif eth1

But it did not work. I belive this happened because matched packets
still had z.z.z.z as their source address.

So i tried that:

iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
ROUTE --gw x.x.x.x --oif eth1 --continue
iptables -t nat -A POSTROUTING -o eth1 -m owner --gid-owner adsl -j
SNAT --to-source y.y.y.y

But still no luck. :(

Any ideas how to solve my problem?

-- 
 Ignatich                          mailto:ignatich@gmail.com

Re: owner based routing

[/dev/rob0]

On Tuesday 2005-October-11 08:57, Ignatich wrote:
> Since ipt_owner does not work in PREROUTING chain and fwmark is
> pointless, I thought that ipt_ROUTE from p-o-m can help me.

Why is fwmark pointless?

> Any ideas how to solve my problem?

I would try -j MARK --set-mark $UID for your -m owner matched packets 
and use a ip rule / ip route combination. I've not done this, but I 
don't see why it wouldn't work.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: owner based routing

[Ignatich]

Hello,

dr> On Tuesday 2005-October-11 08:57, Ignatich wrote:
>> Since ipt_owner does not work in PREROUTING chain and fwmark is
>> pointless, I thought that ipt_ROUTE from p-o-m can help me.

dr> Why is fwmark pointless?

>> Any ideas how to solve my problem?

dr> I would try -j MARK --set-mark $UID for your -m owner matched packets
dr> and use a ip rule / ip route combination. I've not done this, but I
dr> don't see why it wouldn't work.

It's pointless because ipt_owner does not work in PREROUTING table. So
even if I mark packet routing decision is already made.

-- 
 Ignatich                          mailto:ignatich@gmail.com

Re: owner based routing

[/dev/rob0]

On Tuesday 2005-October-11 09:25, Ignatich wrote:
> dr> Why is fwmark pointless?
>
> It's pointless because ipt_owner does not work in PREROUTING table.
> So even if I mark packet routing decision is already made.

The mangle table OUTPUT chain is consulted before routing.

root@room101:~# iptables -vt mangle -A OUTPUT -m owner --uid-owner rob0 -j MARK --set-mark 0x80
MARK  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  OWNER UID match 1000 MARK set 0x80

Did you try this?
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: owner based routing

[Ignatich]

Hello,

> The mangle table OUTPUT chain is consulted before routing.
>
> root@room101:~# iptables -vt mangle -A OUTPUT -m owner --uid-owner rob0 -j MARK --set-mark 0x80
> MARK  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  OWNER UID match 1000 MARK set 0x80
>
> Did you try this?

Yes, i overlooked this. Thank you very much, it solved my problem.

-- 
 Ignatich                          mailto:ignatich@gmail.com

Re: owner based routing

[Henrik Nordstrom]

On Tue, 11 Oct 2005, Ignatich wrote:

> Since ipt_owner does not work in PREROUTING chain and fwmark is
> pointless, I thought that ipt_ROUTE from p-o-m can help me.

Using ipt_owner in PREROUTING is pointless as PREROUTING never sees any 
packets sent by a local application.

PREROUTING sees packets coming in from the network before any decision on 
what to do with the packet has been made.

ipt_owner can be used in OUTPUT/INPUT only (at least I think it can be 
used in INPUT, maybe not..).

CONNMARK may be what you are looking for. Allows you to mark the 
connection in OUTPUT and then reuse this mark in PREROUTING when packets 
comes back on the same connection.

> Here's what I did:
>
> iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
> ROUTE --gw x.x.x.x --oif eth1
>
> But it did not work. I belive this happened because matched packets
> still had z.z.z.z as their source address.

You need to SNAT/MASQUERADE them.

> So i tried that:
>
> iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
> ROUTE --gw x.x.x.x --oif eth1 --continue
> iptables -t nat -A POSTROUTING -o eth1 -m owner --gid-owner adsl -j
> SNAT --to-source y.y.y.y

Any specific reason why you have the owner match in POSTROUTING? Shouldn't 
all traffic going out on eth1 be NAT:ed?

Note: You generally also need to use policy routing to keep this traffic 
on eth1.

Regards
Henrik