Home / server / Questions / 974223
Accepted
POMATu
Asked: 2019-07-07 13:15:13 +0800 CST

Dante on multiple gateways in subnet

  • 772

I have two gateways in my subnet. 192.168.1.2 - main 192.168.1.1 - secondary (yeah that's not a mistake)

So I am using 192.168.1.2 everywhere as default route

Is it possible to configure danted so it will forward outgoing connections to the secondary gateway (192.168.1.1) while main system will use main gateway? Or should I do some tweaking with iptables to achieve that?

Other possible solution is to do an lxc container with different network stack, but I am trying to achieve same goal on rpi with not much RAM and without that kind of redundant solutions.

So I wonder if it supports that out of the box, or maybe I can split network stack without any virtualization? (create virtual interface with other gateway maybe and then pass that secondary interface to danted)

Thanks

linux-networking

1 Answers

  1. Best Answer

    So my main gateway on that machine is 192.168.1.2. I wan't to redirect all traffic from specific user through another gateway 192.168.1.1

    Creating new user that will be redirected to another gateway

    useradd -m proxy

    Adding new routing table

    echo "201     gw1" >> /etc/iproute2/rt_tables

    adding ip rule so all marked packets will go to new routing table

    ip rule add fwmark 0x1 table gw1
ip route add default via 192.168.1.1 dev eth0 table gw1

    marking all packets from user proxy (and allowing our subnet to communicate without any redirection)

    iptables -A OUTPUT -t mangle -o eth0 ! -d 192.168.1.0/24 -m owner --uid-owner proxy -j MARK --set-mark 1

    This way user proxy will use separate routing table

    now all ip traffic works fine, but dns don't work

    curl -H "Host: ifconfig.me" 216.239.32.21

    DNS requests don't work because it tries to use 127.0.0.1:53 which is routed through main gateway

    now redirecting also dns traffic to same gateway, not letting it touch 127.0.0.1:53

    iptables -t nat -A OUTPUT -m owner --uid-owner proxy -p udp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -A OUTPUT -m owner --uid-owner proxy -p tcp --dport 53 -j DNAT --to 192.168.1.1:53

    You can also put 8.8.8.8 there and it will be passed through 192.168.1.1, the main idea is to get it away from local caching dns server

    now dns requests routed fine, you can check that with sniffer, however dig still shows dns from default gateway

    curl ifconfig.me

    making danted (or any other app) to use that rules by making it run as proxy user in dated.conf

    #user.privileged: root
user.notprivileged: proxy
#user.libwrap: libwrap

    and now you can add ip rule, ip route and iptables lines to rc.local and point your browser to danted socks server. All outbound traffic will be routed to 192.168.1.1 gateway

    • 1