Wednesday, August 16, 2017

route to specific destination based on uid and mangle

** info
- to 23.0.0.0/24, will be reachable by 192.168.58.2
- user1 uid = 1001


1-
$ sudo iptables -t mangle -A OUTPUT -m owner --uid-owner 1001 -j MARK --set-mark 3
$ echo 3 otable >> /etc/iproute2/rt_tables
$ sudo ip rule add fwmark 3 table 3
$ sudo ip route add default via 192.168.58.2 table 3




2- test
$ sudo -u user1 ping 23.0.0.1


- show mangle rules
$ iptables -t mangle -L  -v
Chain PREROUTING (policy ACCEPT 5406 packets, 396K bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain INPUT (policy ACCEPT 5406 packets, 396K bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 5219 packets, 409K bytes)
 pkts bytes target     prot opt in     out     source               destination        
    4   336 MARK       all  --  any    any     anywhere             3.3.3.0/24           MARK set 0x2
    5   420 MARK       all  --  any    any     anywhere             anywhere             owner UID match user1 MARK set 0x3

Chain POSTROUTING (policy ACCEPT 5219 packets, 409K bytes)
 pkts bytes target     prot opt in     out     source               destination        
 


- list route table 3, otable,
$ ip route list table 3
default via 192.168.58.2 dev enp0s3



- show ip rule
$ ip rule
0:    from all lookup local
32764:    from all fwmark 0x3 lookup otable
32765:    from all fwmark 0x2 lookup mtable
32766:    from all lookup main
32767:    from all lookup default



No comments:

Post a Comment