I have two NICs and two IPs. How do I set up routing in a way where everything is sent through the first IP, except the traffic of a given (local) user, whose traffic is sent through the second IP?
I know there are some HOWTOs out there but in the last 3 days I could not succeed using them.
I liked this http://www.debian-administration.org/article/379/Policy_routing article the best, the only difference in my situation is that I do not deal with PPP connections, I have two Ethernet interfaces.
After setting up everything(?), the given local user's web browsing traffic can be seen in wireshark, the SYN ACK comes back to the right IP and interface, but the browser does not answer.
Please help.
---THE WHOLE STORY---
Using a fresh install of Ubuntu 10.10 for testing, the two connectons are:
eth0: ip=192.168.168.236 gw=192.168.168.1
wlan0: ip=192.168.2.12 gw=192.168.2.1
nameserver is 192.168.168.1
Firewall is empty at the start (i.e. no rules), all policies are ACCEPT.
root@kipkopp:~# ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@kipkopp:~# ip route show
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.12 metric 2
192.168.168.0/24 dev eth0 proto kernel scope link src 192.168.168.236 metric 1
169.254.0.0/16 dev eth0 scope link metric 1000
default via 192.168.168.1 dev eth0 proto static
root@kipkopp:~# cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
100 copyofmain
101 new
(Buidling the copyofmain table, table new is empty)
root@kipkopp:~# ip route show table copyofmain
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.12 metric 2
192.168.168.0/24 dev eth0 proto kernel scope link src 192.168.168.236 metric 1
169.254.0.0/16 dev eth0 scope link metric 1000
default via 192.168.168.1 dev eth0 proto static
root@kipkopp:~# iptables -t mangle -A OUTPUT -m owner --uid-owner 1001 -j MARK --set-mark 1
root@kipkopp:~# ip rule add fwmark 1 pri 100 table copyofmain
root@kipkopp:~# ip rule add from 192.168.168.236 pri 200 table copyofmain
root@kipkopp:~# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source=192.168.168.236
Trying to browse to websites as uid=1001 everything is okay.
(Buidling the 'new' table)
root@kipkopp:~# ip route show table new
192.168.2.0/24 dev wlan0 proto kernel scope link src 192.168.2.12 metric 1
192.168.168.0/24 dev eth0 proto kernel scope link src 192.168.168.236 metric 2
169.254.0.0/16 dev wlan0 scope link metric 1000
default via 192.168.2.1 dev wlan0 proto static
root@kipkopp:~# ip rule add from 192.168.2.1 pri 200 table new
root@kipkopp:~# iptables -t nat -A POSTROUTING -o wlan0 -j SNAT --to-source=192.168.2.12
root@kipkopp:~# ip rule show
0: from all lookup local
100: from all fwmark 0x1 lookup copyofmain
200: from 192.168.168.236 lookup copyofmain
200: from 192.168.2.12 lookup new
32766: from all lookup main
32767: from all lookup default
Uid 1001 still uses the copyofmain table, and is able to surf the net.
root@kipkopp:~# ip rule delete from all fwmark 0x1 lookup copyofmain
root@kipkopp:~# ip rule add fwmark 1 pri 100 table new
root@kipkopp:~# ip rule list
0: from all lookup local
100: from all fwmark 0x1 lookup new
200: from 192.168.168.236 lookup copyofmain
200: from 192.168.2.12 lookup new
32766: from all lookup main
32767: from all lookup default
Uid 1001 cannot browse any more.
root@kipkopp:~# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
root@kipkopp:~# echo 0 > /proc/sys/net/ipv4/conf/wlan0/rp_filter
root@kipkopp:~# ip route flush cache
No improvement.
I change the default route in the main(!) table:
root@kipkopp:~# ip route delete default via 192.168.168.1 dev eth0 proto static
root@kipkopp:~# ip route add default via 192.168.2.1 dev wlan0 proto static
Uid 1001 is happy browsing, just like the other users.
0 Answers