policy routing on locally generated packets, ip source address selction, application routing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

good day, 


i have been searching for an approach to handle the selection of a
source ip address during the output routing process. 

the netfilter team feels that the issue falls outside the scopr of
iptables, so i thought i might ask your advice: 

issues arising from the following situation: 

             +------------------------------+ 
lan_a --->   | eth0        alice       eth1 | ----> isp_a 
             |                              | 
             +------------------------------+ 

here's alice's ifconfig 
eth0   191.168.0.254/24 
eth1   192.168.1.254/24 
eth1:1 192.168.1.100/24 

here's alice's default routing table: 
192.168.0.0/24 dev eth0  scope link 
192.168.1.0/24 dev eth1  scope link 
127.0.0.0/8 dev lo  scope link 


we would like that all applications and protocols (tcp/udp/icmp/arp)
associated userid 500 are routed to isp_b using the alias ip address 

(A) 
iptables --append OUTPUT --table mangle --match owner \ 
         --uid-owner 500 --jump MARK --set-mark 0x2 
ip route add default dev eth3 src 149.174.32.7 table 2 
ip route flush cache 

(A) doesn't work because iptables won't pickup the source address; it
can only be changed using --snat 


(B) 
iptables --append OUTPUT --table mangle --match owner \ 
    --uid-owner 500 --jump MARK --set-mark 0x2 

iptables --append POSTROUTING --table nat --match mark \ 
         --mark 0x2 --jump SNAT --to-source 192.168.1.100 
ip route flush cache 

(B) is an approach to mark the locally generated packets and then snat
them later in the postrouting chain. this works only for tcp/udp and not
for icmp/arp. 

(C) 
ip route delete 192.168.1.0/24 dev eth1 
ip route add 192.168.1.0/24 dev eth1 src 192.168.1.100 
ip route flush cache 

(C) uses ip src address 192.168.1.100 for all tcp/udp/icmp/arp
communication. OUTPUT ROUTING used the src address 
specified in the ip route statement. 


is there a way then, to specify which routing table that a certain
uid/gid/pid will use during the src ip selection process? this would
provide the desired behavior that a user, group, or application can be
routed to a specified interface with a specified ip source address
allowing the administrator the opportunity to account for each packet
sent over the wire and attribute it to ther corresponding uid/gid/pid. 

is there an existing methodology to achieve this?

many thanks for your insights ... 

charles shick 






-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux