2
Running Ubuntu 12.10 on amd64.
I'm trying to set up different routing rules for a particular user. I understand that the right way to do this is to create a firewall rule that marks the packets for that user, and add a routing rule for that mark. Just to get testing going, I've added a rule that discards all packets as unreachable:
# ip rule
0: from all lookup local
32765: from all fwmark 0x1 unreachable
32766: from all lookup main
32767: from all lookup default
With this rule in place and all firewall chains in all tables empty and policy ACCEPT, I can still ping remote hosts just fine as any user.
If I then add a rule to mark all packets and try to ping Google, it fails as expected
# iptables -t mangle -F OUTPUT
# iptables -t mangle -A OUTPUT -j MARK --set-mark 0x01
# ping www.google.com
ping: unknown host www.google.com
If I restrict this rule to the VPN user, it seems to have no effect.
# iptables -t mangle -F OUTPUT
# iptables -t mangle -A OUTPUT -j MARK --set-mark 0x01 -m owner --uid-owner vpn
# sudo -u vpn ping www.google.com
PING www.google.com (173.194.78.103) 56(84) bytes of data.
64 bytes from wg-in-f103.1e100.net (173.194.78.103): icmp_req=1 ttl=50 time=36.6 ms
But it appears that the mark is being set, because if I add a rule to drop these packets in the firewall, it works:
# iptables -t mangle -A OUTPUT -j DROP -m mark --mark 0x01
# sudo -u vpn ping www.google.com
ping: unknown host www.google.com
What am I missing? Thanks!
Paul Crowley
Posted 2012-11-05T22:34:42.830
Reputation: 123
Indeed, I observe the same thing. Still leaves a mystery as to why the DROP rule stops the ping from working, but means I can make progress on this issue. Thank you! – Paul Crowley – 2012-11-06T07:37:18.133
I don't think it has stopped the ping - the error you get there is with the DNS lookup. Try pinging an IP in that test case instead of looking up a name. – Jon Topper – 2012-11-06T15:43:07.907