My Linux machine have two accounts. I want to set different default gateway for the different accounts. How can I do this, if it is possible?
Asked
Active
Viewed 2,147 times
4
-
1Given that you have a very high score in the bash tag on SO (and the answers are good), I'm going to treat this as a serious question. Networking stacks generally do not implement routing policies that are influenced by the owner of a socket. You would need to change the default route via a script framework of your own making. – Andrew B May 06 '15 at 02:24
-
@AndrewB Thank you for your answer. You mean I can only set `default gateway` globally. – kev May 06 '15 at 04:08
-
There are two approaches to this. Either use policy based routing as explained in the answer by peterh, or use networking namespaces. – kasperd May 06 '15 at 08:07
1 Answers
2
The routing table is a system-wide thing, and not user-specific. So, it is not really simple.
The steps are the following:
1: Create the multiple routing tables with the extensive usage of the ip route and ip rule commands.
2: Set up iptables to mark the outgoing packets based on the UID of the sender process.
3: Set up your routing tables based on the marks (which the outgoing packets got from the iptables).
The solution will be that all processes belonging to an user will use the alternate routing table.
Extension #1: Unfortunately the ip route and ip rule isn't really well documented. But you can create multiple routing tables with their different rules. Beware: they are routing tables, a totally different thing as the iptables! And, the trick is that you can "mark" packets in iptables, which essentially means that you can give them a single integer value. And finally, you can set up iptables rules to route other ways (with other routing tables) the marked packets. It is clean, and a good functioning feature, but not really well documented.
Extension #2: AFAIK ip rule is the command to handle the multiple routing table entities. With ip route you can also set, into which routing table you want to insert (modify) a given route.
Extension #3: Changing the routing tables of outgoing packets by iptables is not trivial, this post does what also by me worked.
-
I didn't copy-pasted the exact `iptables` / `ip route` commands, because I don't remember them exactly. But if you want I would try to reconstruct them. – peterh May 06 '15 at 04:05
-
-
@kev Huhh, unfortunately the `ip route` isn't really well documented! But thank you the acception. But you _can_ create multiple routing tables with its different rules. They are *routing tables*, a totally different thing as the `iptables`! And, the trick is that you can "mark" packets in iptables, which essentially means that you can give them a single integer value. And finally, you can set up iptables rules to route other ways (with other routing tables) the marked packets. It is clean, and a good functioning feature, but not really well documented. :-( – peterh May 06 '15 at 04:17
-
I'm a little bit confused by *"set up iptables to change the routing table of the outgoing packets based on the UID of the sender process"*. Is there an iptables target that accomplishes this? I'm aware that `--uid-owner` can be used in the OUTPUT chain, but how would you have it select a different routing table? – Andrew B May 06 '15 at 05:02
-
@AndrewB I can't remember exactly, last time I did this around 5 years ago. But [here](http://serverfault.com/questions/345111/iptables-target-to-route-packet-to-specific-interface) is, what I did then. – peterh May 06 '15 at 05:04
-
Ah, okay. You're using iptables to mark the packets based on the uid criteria, and then instructing iproute2 to select routing tables via the `fwmark` option of `ip rule`. Interesting approach, but definitely maddening to troubleshoot without documentation. – Andrew B May 06 '15 at 05:10
-
I found a doc: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html – kev May 09 '15 at 11:08