Dante on multiple gateways in subnet

Question

I have two gateways in my subnet. 192.168.1.2 - main 192.168.1.1 - secondary (yeah that's not a mistake)

So I am using 192.168.1.2 everywhere as default route

Is it possible to configure danted so it will forward outgoing connections to the secondary gateway (192.168.1.1) while main system will use main gateway? Or should I do some tweaking with iptables to achieve that?

Other possible solution is to do an lxc container with different network stack, but I am trying to achieve same goal on rpi with not much RAM and without that kind of redundant solutions.

So I wonder if it supports that out of the box, or maybe I can split network stack without any virtualization? (create virtual interface with other gateway maybe and then pass that secondary interface to danted)

Thanks

Answer 1

So my main gateway on that machine is 192.168.1.2. I wan't to redirect all traffic from specific user through another gateway 192.168.1.1

Creating new user that will be redirected to another gateway

useradd -m proxy

Adding new routing table

echo "201     gw1" >> /etc/iproute2/rt_tables

adding ip rule so all marked packets will go to new routing table

ip rule add fwmark 0x1 table gw1
ip route add default via 192.168.1.1 dev eth0 table gw1

marking all packets from user proxy (and allowing our subnet to communicate without any redirection)

iptables -A OUTPUT -t mangle -o eth0 ! -d 192.168.1.0/24 -m owner --uid-owner proxy -j MARK --set-mark 1

This way user proxy will use separate routing table

now all ip traffic works fine, but dns don't work

curl -H "Host: ifconfig.me" 216.239.32.21

DNS requests don't work because it tries to use 127.0.0.1:53 which is routed through main gateway

now redirecting also dns traffic to same gateway, not letting it touch 127.0.0.1:53

iptables -t nat -A OUTPUT -m owner --uid-owner proxy -p udp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -A OUTPUT -m owner --uid-owner proxy -p tcp --dport 53 -j DNAT --to 192.168.1.1:53

You can also put 8.8.8.8 there and it will be passed through 192.168.1.1, the main idea is to get it away from local caching dns server

now dns requests routed fine, you can check that with sniffer, however dig still shows dns from default gateway

curl ifconfig.me

making danted (or any other app) to use that rules by making it run as proxy user in dated.conf

#user.privileged: root
user.notprivileged: proxy
#user.libwrap: libwrap

and now you can add ip rule, ip route and iptables lines to rc.local and point your browser to danted socks server. All outbound traffic will be routed to 192.168.1.1 gateway

Answer 2

i have follow your steps, and it's works for 3 gateways, but when i have add 4-s gateway and more - DNS doesn't resolve on added gateways (internet and proxy is working without problems on all gateways with external DNS servers, but not with gateways DNS).

All rules, sockd instances and firewall rules has unique "uid-owners".

In resolv.conf it's sorted as (working only .10.1,.11.1,.12.1):

192.168.10.1
192.168.11.1
192.168.12.1
192.168.13.1
192.168.14.1

When i am change resolv.conf order to:

192.168.14.1
192.168.13.1
192.168.12.1
192.168.11.1
192.168.10.1

DNS works only for .13.1,.14.1,.15.1, for all next gateways DNS is not resolve.

I have check, and find that it's limits to resolv.conf file DNS list (MAXNS limited to 3 in kernel source files).

My main point is make that every socks proxy has own gateway specified DNS and don't mix with each other, but i can't achieve it, because all next DNSes after 3rd is not working.

I am can't understand, why system touch resolv.conf as it is redirected by firewall directly to gateway DNS, have spend few days for it, but can't resolve this issue at all.