tag:blogger.com,1999:blog-1508886507565201532.post8209352048606255175..comments2024-01-20T13:13:53.600+01:00Comments on Tricks of the Trade: Per-process routingSebhttp://www.blogger.com/profile/04426355415632546147noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-1508886507565201532.post-48491138494625902522013-09-10T11:34:57.733+02:002013-09-10T11:34:57.733+02:00I tried your solution but something doesn't wo...I tried your solution but something doesn't work properly.<br />Connections using wifi user won't works at all, apparently they didn't receive any replies but tcpdump shows outgoing and ingoing packets.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1508886507565201532.post-23927554841474354802013-04-06T05:30:05.034+02:002013-04-06T05:30:05.034+02:00Thanks for the post. I was able to get it working ...Thanks for the post. I was able to get it working based on this. I had to disable reverse path routing for what I was trying to accomplish. (Squid and deluge traffic via VPN, everything else local routing)<br /><br />I also added a bogus default route to table 42 so that traffic wouldn't go out the local connection if the VPN goes down.<br /><br />iptables -t mangle -I OUTPUT -m owner --uid-owner deluge -j MARK --set-mark 42<br />iptables -t mangle -I OUTPUT -m owner --uid-owner squid -j MARK --set-mark 42<br />iptables -t mangle -I OUTPUT -d 192.168.1.0/24 -m owner --uid-owner deluge -j RETURN<br />iptables -t mangle -I OUTPUT -d 192.168.1.0/24 -m owner --uid-owner squid -j RETURN<br /><br />iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE<br /><br />IP=`netstat -rn | grep tun0 | grep ^0.0.0.0 | awk '{print $2}'`<br /><br />ip rule add fwmark 42 table 42<br /><br />ip route add default via 192.168.1.250 table 42<br />ip route add 0.0.0.0/1 via $IP table 42<br />ip route add 128.0.0.0/1 via $IP table 42<br /><br />ip route del 0.0.0.0/1<br />ip route del 128.0.0.0/1<br />echo 0 > /proc/sys/net/ipv4/conf/tun0/rp_filter<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1508886507565201532.post-46992775282719633132013-03-11T20:10:29.784+01:002013-03-11T20:10:29.784+01:00Three+ years later, one thing has changed - revers...Three+ years later, one thing has changed - reverse path filtering is now enabled by default on many systems, so the reply packets get dropped by the kernel. The fix is to run "sysctl net.ipv4.conf.ath0.rp_filter=0". Maybe this well help someone else save two hours of intense googling ;)haraldhttps://www.blogger.com/profile/01736486280936673301noreply@blogger.comtag:blogger.com,1999:blog-1508886507565201532.post-74101698854078209902011-11-29T08:22:35.721+01:002011-11-29T08:22:35.721+01:00works great! thanksworks great! thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1508886507565201532.post-33480436462690225132010-10-23T21:39:29.120+02:002010-10-23T21:39:29.120+02:00I am trying to implement your suggestion with slig...I am trying to implement your suggestion with slight modifications (instead of over wifi, I'm trying to send the packets out on a tap interface over OpenVPN, and my user is called vpnuser), but something isn't right. The vpnuser packets are still routed through the physical interface, rather than the virtual tap interface.<br /><br />Here are the exact commands I used:<br /><br />iptables -t mangle -A OUTPUT -m owner --uid-owner vpnuser -j MARK --set-mark 42<br />iptables -t nat -A POSTROUTING -o tap0 -m mark --mark 42 -j SNAT --to-source 192.168.10.161<br /><br />ip rule add fwmark 42 table 42<br />ip route add default via 192.168.10.1 dev tap0 table 42<br /><br />where 192.168.10.161 is my OpenVPN IP address.<br /><br />If this looks right, can you suggest any good methods for debugging this which would show:<br /><br />1) Whether the packets are properly being marked by iptables for user vpnuser<br />2) Whether they are ending up in table 42 at all?<br /><br />Do you have any other suggestions?<br /><br />Thanks!<br />Iordan IordanovIordanhttps://www.blogger.com/profile/06192575822355012848noreply@blogger.comtag:blogger.com,1999:blog-1508886507565201532.post-73334914537828187342009-06-22T06:47:30.878+02:002009-06-22T06:47:30.878+02:00Great idea i also searching for sameGreat idea i also searching for sameAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1508886507565201532.post-21955312412873176422009-04-26T12:43:00.000+02:002009-04-26T12:43:00.000+02:00Interesting idea. This can be useful. Thanks !Interesting idea. This can be useful. Thanks !boklmhttp://n0x.org/noreply@blogger.com