Choose gateway based on UID (Linux)

Question

I have two NICs and two IPs. How do I set up routing in a way where everything is sent through the first IP, except the traffic of a given (local) user, whose traffic is sent through the second IP?

I know there are some HOWTOs out there but in the last 3 days I could not succeed using them.

I liked this http://www.debian-administration.org/article/379/Policy_routing article the best, the only difference in my situation is that I do not deal with PPP connections, I have two Ethernet interfaces.

After setting up everything(?), the given local user's web browsing traffic can be seen in wireshark, the SYN ACK comes back to the right IP and interface, but the browser does not answer.

Please help.

---THE WHOLE STORY---

Using a fresh install of Ubuntu 10.10 for testing, the two connectons are:

eth0: ip=192.168.168.236 gw=192.168.168.1
wlan0: ip=192.168.2.12 gw=192.168.2.1
nameserver is 192.168.168.1

Firewall is empty at the start (i.e. no rules), all policies are ACCEPT.

root@kipkopp:~# ip rule list
0:  from all lookup local 
32766:  from all lookup main 
32767:  from all lookup default 
root@kipkopp:~# ip route show
192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.12  metric 2 
192.168.168.0/24 dev eth0  proto kernel  scope link  src 192.168.168.236  metric 1 
169.254.0.0/16 dev eth0  scope link  metric 1000 
default via 192.168.168.1 dev eth0  proto static 

root@kipkopp:~# cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
#1  inr.ruhep
100 copyofmain
101 new

(Buidling the copyofmain table, table new is empty)

root@kipkopp:~# ip route show table copyofmain
192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.12  metric 2 
192.168.168.0/24 dev eth0  proto kernel  scope link  src 192.168.168.236  metric 1 
169.254.0.0/16 dev eth0  scope link  metric 1000 
default via 192.168.168.1 dev eth0  proto static 

root@kipkopp:~# iptables -t mangle -A OUTPUT -m owner --uid-owner 1001 -j MARK --set-mark 1
root@kipkopp:~# ip rule add fwmark 1 pri 100 table copyofmain
root@kipkopp:~# ip rule add from 192.168.168.236 pri 200 table copyofmain
root@kipkopp:~# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source=192.168.168.236

Trying to browse to websites as uid=1001 everything is okay.

(Buidling the 'new' table)

root@kipkopp:~# ip route show table new
192.168.2.0/24 dev wlan0  proto kernel  scope link  src 192.168.2.12  metric 1 
192.168.168.0/24 dev eth0  proto kernel  scope link  src 192.168.168.236  metric 2 
169.254.0.0/16 dev wlan0  scope link  metric 1000 
default via 192.168.2.1 dev wlan0  proto static 

root@kipkopp:~# ip rule add from 192.168.2.1 pri 200 table new
root@kipkopp:~# iptables -t nat -A POSTROUTING -o wlan0 -j SNAT --to-source=192.168.2.12

root@kipkopp:~# ip rule show
0:  from all lookup local 
100:    from all fwmark 0x1 lookup copyofmain 
200:    from 192.168.168.236 lookup copyofmain 
200:    from 192.168.2.12 lookup new 
32766:  from all lookup main 
32767:  from all lookup default

Uid 1001 still uses the copyofmain table, and is able to surf the net.

root@kipkopp:~# ip rule delete from all fwmark 0x1 lookup copyofmain
root@kipkopp:~# ip rule add fwmark 1 pri 100 table new

root@kipkopp:~# ip rule list
0:  from all lookup local 
100:    from all fwmark 0x1 lookup new 
200:    from 192.168.168.236 lookup copyofmain 
200:    from 192.168.2.12 lookup new 
32766:  from all lookup main 
32767:  from all lookup default

Uid 1001 cannot browse any more.

root@kipkopp:~# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter 
root@kipkopp:~# echo 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter 

root@kipkopp:~# ip route flush cache

No improvement.

I change the default route in the main(!) table:

root@kipkopp:~# ip route delete default via 192.168.168.1 dev eth0  proto static
root@kipkopp:~# ip route add default via 192.168.2.1 dev wlan0  proto static

Uid 1001 is happy browsing, just like the other users.

Did you make sure you performed the step to disable the `rp_filter`? — Zoredache, Feb 05 '11 at 01:35
Please also strongly consider posting your network interface configuration, route tables, ip rules, and iptable rules. When it comes to policy routing the __Devil is in the details__. It is extremely picky. We probably won't be able to really offer any help unless you tell us exactly what you have done. — Zoredache, Feb 05 '11 at 01:37
I always fear that noone cares to read a long story.... And yes, I disabled rp_filter. So here you go with the whole stroy, hope someone can help. — raerek, Feb 05 '11 at 10:35

score 0 · Answer 1 · answered Feb 20 '23 at 10:00

it seems that using ip rule is simpler and works fine

first

you have a gateway of course

second

create a custom table

echo '1000 mytable' >> /etc/iproute2/rt_tables

or using vim is safer

third

sudo ip rule add uidrange 1000-1000 lookup mytable

we can check UID by running id command
number-number is the format and it can be the same for a single user

lastly

set default route for that custom table "mytable"

sudo ip route add default via <gateway> dev <interface-of-gateway> proto static

Choose gateway based on UID (Linux)

1 Answers1

first

second

third

lastly