0

I have a server machine with a dedicated IP and several IP aliases. It has a single network interface and on it there are multiple IPs "attached".

So let's say IP1 is the main ip but I also have IP2 and IP3

I can ssh into any of the three IPs and access the same machine.

Now if I create a SSH tunnel and configure my browser to use that tunnel as a socks proxy, all outgoing requests seem to be going through IP1 only. So if I create a tunnel through IP2 and set it as proxy in firefox, then say google for "what's my ip" I see the IP1 showing up.

Is there a way I can set the outgoing connections to show as the IP aliases that I'm proxying through?

Jimbotron
  • 87
  • 1
  • 1
  • 10

2 Answers2

1

The only way I have been able to achieve this is by using NAT. Something like this:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

where 1.2.3.4 is one of your alias IPs. Doing this flips all outgoing traffic to use this IP address, for everything (so be careful).

You may wish to consider this variant:

iptables -t nat -A POSTROUTING -o eth0 -m owner --uid-owner user -j SNAT --to 1.2.3.4

I don't run this one myself, though I have tested it just now and iptables accepts it. This would allow you to have a per user/IP alias mapping (I think) so depending on the UID of the process running the socks proxy (I'm presuming here an SSH socks proxy, thus the user who is logging in via SSH), that IP will be used for any outgoing traffic.

parkamark
  • 1,128
  • 7
  • 11
  • So basically I would have to create a separate linux user for each IP/connection right? Would it also be possible to do this for other OS processes like a script that is run by webserver? – Jimbotron Jan 20 '16 at 15:38
  • Yes, separate user for each IP alias you wish to use. I don't think there is any iptables module that can match on a script name or properties of a running process. Only the UID owner of the process that generated the outgoing packet, source/destination port, protocol etc, so you're pretty much limited to that. – parkamark Jan 20 '16 at 15:52
  • my network interfaces are all configured as eth0:1 eth0:2 etc.. is eth0:1 what i would be putting as a parameter in the iptables? or just eth0? – Jimbotron Jan 20 '16 at 16:40
  • Just eth0. Each eth:* entry is not really an interface; it is just how the system represents the assignment of multiple IP addresses to the same interface. – parkamark Jan 20 '16 at 17:11
  • I don't seem to be able to get it to work. this is a command i am running as root: "iptables -t nat -A POSTROUTING -o eth0 -m owner --uid-owner newuser1 -j SNAT --to ip.address.alias.here" am I missing something? After running that command there is no out put and iptables -F and iptables -S shows nothing but default 3 accept rules. – Jimbotron Jan 20 '16 at 20:02
  • I've just verified it on my own Linux box and it does work. However, the gotcha is I had to use "iptables -t nat -I POSTROUTING ..." because I needed to insert the rule at the top of my already existing NAT rules. Using "-A" added the rule to the end, which means it never matched, because my generic NAT rule matched first. Also, if it has worked, you should see the rule listed by running "iptables -t nat -vnL POSTROUTING". Make sure this rule is added at the top, not the bottom, so it matches first. – parkamark Jan 20 '16 at 20:42
  • I run the command and the record is not being added to iptables. no error shows and -S still not showing the addition. Any way I could debug this? if it makes any difference I'm on Debian VPS – Jimbotron Jan 20 '16 at 20:57
  • Never mind, it works, just does not list it with just -S, need to do -t nat -S. Thanks a lot! – Jimbotron Jan 20 '16 at 21:32
  • @parkamark Could you explain `-m owner --uid-owner user`? Is "owner" the username and "user" the UID? Not sure what is a variable and what is a flag here. – stone.212 Nov 30 '18 at 02:14
  • @stone212 `-m owner` invokes the iptables "owner" sub-module. `--uid-owner user` is then further arguments to that module, in this case, to define the UID (or username) that should be matched against. You can use either the UID or the username, the module handles both. – parkamark Nov 30 '18 at 09:46
1

You can use the ip route command for that. You can even set specific ip source addresses for specific hosts. Using the following addresses

  • destination: 10.0.0.0/16
  • default ip: 192.168.0.100
  • alias ip: 192.168.0.101
  • gateway ip: 192.168.0.1

Changing the ip for outgoing traffic to 10.0.0.0/16

ip route add to 10.0.0.0/16 via 192.168.0.1 dev eth0 src 192.168.0.101

If you want to have all outgoing traffic the alias ip, you'll use

ip route change default via 192.168.0.1 dev eth0 src 192.168.0.101 metric 101
Micha Kersloot
  • 409
  • 2
  • 9
  • using this method, would I be able to specify a rule per ssh connection by some parameter or criteria? or does this change all the outgoing traffic? – Jimbotron Jan 20 '16 at 15:37
  • Hmm.. If you login to the same machine, I'm not sure you can handpick the source ip address for that session. – Micha Kersloot Jan 21 '16 at 16:23