0

Suppose I have more than a network interfaces and I want to selectively use them per application. eth0 is the standard interface with the standard gateway in the main routing table eth1 is another interface with a different gateway.

Suppose I launch an application as a user "user_eth1".

I used the following set of rules for iptables / ip rules.

IPTABLES: 

iptables -t mangle -A OUTPUT -m user --uid-owner user_eth1 -j MARK --set-mark 100
iptables -t nat -A POSTROUTING -m user -uid-owner -o eth1 user_eth1 -j SNAT --to-source     <eth_ipaddress>

IPRULE: 

ip rule add fwmark 100 lookup table100

and i build "table100" as follows (no doubts on that) 

ip route show table main | grep -Ev ^default | while read ROUTE; do ip route add table table100 $ROUTE; done
ip route add default via <default_gateway> table table100

It doesn't work at all. What's wrong with this?

Thank you in advance!

Antonino
  • 1
  • So when these rules are enabled what happens? Does traffic go out the wrong interface? Does traffic completely die? – Zoredache Feb 01 '11 at 17:35

1 Answers1

0

What's wrong with this?

  1. Are you sure about «-m user»? May be «-m owner»?
  2. «-t nat -A POSTROUTING -m user -uid-owner» is better done with «-m mark --mark» — you've already assigned the mark, remember?

Well, anyways, the setup is quite legitimate. You can use tcpdump to debug it.

poige
  • 9,448
  • 2
  • 25
  • 52
  • Thank you... of course it was a typing error... and thank you for the suggestion about the nat table as well. It still doesn't work. Debugging with tcpdump, trying to open a web page, i can only see the first packet from the host to the server and the first reply from the server, sent more than once since the host doesn't reply. In addiction to this, trying to see what happens to packets, they seem blocking between mangle prerouting and nat prerouting (with reference to this scheme : http://fr.wikipedia.org/wiki/Fichier:Netfilter-packet-flow.svg) – Antonino Feb 02 '11 at 14:13
  • Well, it's a pity I don't have two uplinks right now, so I can't test it for sure. Have you tried hosing out all irrelevant netfilter's rules? Flush the whole config and try to implement only that part. – poige Feb 02 '11 at 14:18