6

I have a Linux box with these interfaces:

eth0      Link encap:Ethernet  HWaddr 14:da:e9:ef:75:7d  
      inet addr:176.9.85.182  Bcast:176.9.85.191  Mask:255.255.255.224

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
      inet addr:10.170.1.6  P-t-P:10.170.1.5  Mask:255.255.255.255

eth0 is my internet conenction and tun0 obviously a VPN. Now I want to route all traffic generated by a specific user to via the VPN. Since it's my first real routing issue I'm tackling I googled a lot and read these: Routning based on user, Routing base on port, Basic VPN routes and parts of LARC. So far I puzzled this together:

# Mark all traffic from user
iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1002 -j MARK --set-mark 10
# Translate source address to VPN address
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
# And just to be sure allow forwarding on tun0
-P FORWARD ACCEPT
-A FORWARD -o tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Route based on mark
ip rule add fwmark 10 priority 1000 table 10

# Route
ip route add default via 10.170.1.5 tun0 table 10
ip rule from 10.170.1.6/32 priority 1200 table 10
ip rule to 10.170.1.5/32 priority 1200 table 10

Problem is, according to tcpdump the SNAT works, but the responses a not routed back to the process correctly, even though they seem to have the right source address. I have enabled ip_forwarding with echo 1 > /proc/sys/net/ipv4/ip_forward. What else am I missing?

EDITED:

Setting sysctl -w net.ipv4.conf.tap0.rp_filter=2 enables the user to connect to the internet, but according to wget http://wtfismyip.com/text the IP address is not the VPN but my normal public address.

thanks, steved

15:22:17.713602 IP 10.170.1.6.42225 > google-public-dns-a.google.com.domain: 63046+ A? wtfismyip.com. (31)
15:22:17.713623 IP 10.170.1.6.42225 > google-public-dns-a.google.com.domain: 35494+ AAAA? wtfismyip.com. (31)
15:22:17.747989 IP google-public-dns-a.google.com.domain > 10.170.1.6.42225: 63046 1/0/0 A 54.200.182.206 (47)
15:22:17.854532 IP google-public-dns-a.google.com.domain > 10.170.1.6.42225: 35494 1/0/0 AAAA 2001:470:e8f8:1::1 (59)
Community
  • 1
steved
  • 61
  • Could you check for typos in 10.170.6/32 and 10.170.5/32 please? Those IPv4 addresses seem to be missing an octet each. – Celada Feb 16 '15 at 15:29
  • I fixed the typos, sorry. – steved Feb 16 '15 at 15:33
  • Setting sysctl -w net.ipv4.conf.tap0.rp_filter=2 shouldn't work / help as you don't seem to have a tap0 interface, but tun0 instead. You're also setting the firewall mark after routing has already decided that the packet must leave the machine on interface eth0, so that can't work IMHO. – wurtel Feb 16 '15 at 15:59
  • @wurtel But according to iptables -v -L -t mangle all the packets are processed by my marking filter, also iptables -v -L -t nat shows, that these packages are also processed by the masquerading. Point is my packages are send via tun0 and if I disable iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 1002 -j MARK --set-mark 10 they are send via eth0. After OUTPUT there is another routing decision. The problem is the responses to my pakckages are not forwarded to my processed but dropped/rejected. And I don't know why. – steved Feb 16 '15 at 16:21
  • iptables POSTROUTING has ability to do this. Look at this link please: http://serverfault.com/questions/236721/bind-process-or-user-to-specific-ip-linux – WhoCares Aug 10 '16 at 12:06

0 Answers0