6

I have a Linux box with these interfaces:

eth0      Link encap:Ethernet  HWaddr 14:da:e9:ef:75:7d  
      inet addr:176.9.85.182  Bcast:176.9.85.191  Mask:255.255.255.224

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
      inet addr:10.170.1.6  P-t-P:10.170.1.5  Mask:255.255.255.255

eth0 is my internet conenction and tun0 obviously a VPN. Now I want to route all traffic generated by a specific user to via the VPN. Since it's my first real routing issue I'm tackling I googled a lot and read these: Routning based on user, Routing base on port, Basic VPN routes and parts of LARC. So far I puzzled this together:

# Mark all traffic from user
iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1002 -j MARK --set-mark 10
# Translate source address to VPN address
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# And just to be sure allow forwarding on tun0
-P FORWARD ACCEPT
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Route based on mark
ip rule add fwmark 10 priority 1000 table 10

# Route
ip route add default via 10.170.1.5 tun0 table 10
ip rule from 10.170.1.6/32 priority 1200 table 10
ip rule to 10.170.1.5/32 priority 1200 table 10

Problem is, according to tcpdump the SNAT works, but the responses a not routed back to the process correctly, even though they seem to have the right source address. I have enabled ip_forwarding with echo 1 > /proc/sys/net/ipv4/ip_forward. What else am I missing?

EDITED:

Setting sysctl -w net.ipv4.conf.tap0.rp_filter=2 enables the user to connect to the internet, but according to wget http://wtfismyip.com/text the IP address is not the VPN but my normal public address.

thanks, steved

15:22:17.713602 IP 10.170.1.6.42225 > google-public-dns-a.google.com.domain: 63046+ A? wtfismyip.com. (31)
15:22:17.713623 IP 10.170.1.6.42225 > google-public-dns-a.google.com.domain: 35494+ AAAA? wtfismyip.com. (31)
15:22:17.747989 IP google-public-dns-a.google.com.domain > 10.170.1.6.42225: 63046 1/0/0 A 54.200.182.206 (47)
15:22:17.854532 IP google-public-dns-a.google.com.domain > 10.170.1.6.42225: 35494 1/0/0 AAAA 2001:470:e8f8:1::1 (59)
Community
  • 1
steved
  • 61
  • 1
  • 3
  • Could you check for typos in `10.170.6/32` and `10.170.5/32` please? Those IPv4 addresses seem to be missing an octet each. – Celada Feb 16 '15 at 15:29
  • I fixed the typos, sorry. – steved Feb 16 '15 at 15:33
  • Setting `sysctl -w net.ipv4.conf.tap0.rp_filter=2` shouldn't work / help as you don't seem to have a `tap0` interface, but `tun0` instead. You're also setting the firewall mark *after* routing has already decided that the packet must leave the machine on interface eth0, so that can't work IMHO. – wurtel Feb 16 '15 at 15:59
  • @wurtel But according to `iptables -v -L -t mangle` all the packets are processed by my marking filter, also `iptables -v -L -t nat` shows, that these packages are also processed by the masquerading. Point is my packages are send via `tun0` and if I disable `iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1002 -j MARK --set-mark 10` they are send via `eth0`. After OUTPUT there is another routing decision. The problem is the responses to my pakckages are not forwarded to my processed but dropped/rejected. And I don't know why. – steved Feb 16 '15 at 16:21
  • iptables POSTROUTING has ability to do this. Look at this link please: http://serverfault.com/questions/236721/bind-process-or-user-to-specific-ip-linux – WhoCares Aug 10 '16 at 12:06

0 Answers0