Use non default route as non privileged user

Question

On Ubuntu 16.04, the default route for IPv4 is an interface other than eth0.

If I try to

curl -vvv --interface eth0 v4.ifconfig.co

I get

* SO_BINDTODEVICE eth0 failed with errno 1: Operation not permitted; will do regular bind

But if I sudo it works fine.

How do I change the config so that services running under this non privileged user can use eth0 for IPv4? I don't think I can just change sudo config to allow this because I don't want the service to run anything as root. I also want to maintain the default route for IPv4 on the current interface.

score 1 · Accepted Answer · answered Jul 13 '18 at 21:41

1

See Per-process routing. Assuming the user is foo, the IP address of eth0 is 10.1.1.1, and the router is 10.1.1.254 :

iptables -t mangle -A OUTPUT -m owner --uid-owner foo -j MARK --set-mark 42
iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 42 -j SNAT --to-source 10.1.1.1
ip rule add fwmark 42 table 42
ip route add default via 10.1.1.254 dev eth0 table 42

You'll also need sysctl net.ipv4.conf.eth0.rp_filter=0.

answered Jul 13 '18 at 21:41

Mark Wagner

17,764
2
30
47

I assume `--uid-owner foo` makes all processes from user foo use eth0? – Gaia Jul 13 '18 at 23:19
1

Yes, all processes. – Mark Wagner Jul 13 '18 at 23:48
How would you compare this method with using network namespaces OR cgroups+iptables+policy routing, as described in http://www.evolware.org/?p=369 ? – Gaia Jul 17 '18 at 17:27
Does this work for TCP and UDP? – Gaia Jul 20 '18 at 16:35
1

Yes, it works with anything netfilter can handle. – Mark Wagner Jul 20 '18 at 19:56
Seems like the last two rules do not persist on reboot. how do i make them stick? – Gaia Jul 20 '18 at 20:15
I'm following https://blog.scottlowe.org/2013/05/29/a-quick-introduction-to-linux-policy-routing/ and trying to figure out how to make it permanent. – Gaia Jul 20 '18 at 21:42
rp_filter set to 2 should suffice (see https://serverfault.com/a/816421/34560). It works with 2, but I still can't get it to persist across reboots. – Gaia Jul 21 '18 at 06:39

score 0 · Answer 2 · answered Jul 13 '18 at 18:35

0

Try to use getcap/setcap and check out man 7 capabilities. In your case some NET_CAP_* should do the job.

answered Jul 13 '18 at 18:35

hargut

3,848
6
10

The command is `sudo setcap cap_net_raw=eip /usr/bin/curl` – Mark Wagner Jul 13 '18 at 23:59

Use non default route as non privileged user

2 Answers2

Linked