My Linux machine have two accounts. I want to set different default gateway for the different accounts. How can I do this, if it is possible?
Asked
Active
Viewed 2,725 times
4
2 Answers
2
The routing table is a system-wide thing, and not user-specific. So, it is not really simple.
The steps are the following:
1: Create the multiple routing tables with the extensive usage of the ip route and ip rule commands.
2: Set up iptables to mark the outgoing packets based on the UID of the sender process.
3: Set up your routing tables based on the marks (which the outgoing packets got from the iptables).
The solution will be that all processes belonging to an user will use the alternate routing table.
Extension #1: Unfortunately the ip route and ip rule isn't really well documented. But you can create multiple routing tables with their different rules. Beware: they are routing tables, a totally different thing as the iptables! And, the trick is that you can "mark" packets in iptables, which essentially means that you can give them a single integer value. And finally, you can set up iptables rules to route other ways (with other routing tables) the marked packets. It is clean, and a good functioning feature, but not really well documented.
Extension #2: AFAIK ip rule is the command to handle the multiple routing table entities. With ip route you can also set, into which routing table you want to insert (modify) a given route.
Extension #3: Changing the routing tables of outgoing packets by iptables is not trivial, this post does what also by me worked.
-
I didn't copy-pasted the exact
iptables/ip routecommands, because I don't remember them exactly. But if you want I would try to reconstruct them. – peterh May 06 '15 at 04:05 -
-
@kev Huhh, unfortunately the
ip routeisn't really well documented! But thank you the acception. But you can create multiple routing tables with its different rules. They are routing tables, a totally different thing as theiptables! And, the trick is that you can "mark" packets in iptables, which essentially means that you can give them a single integer value. And finally, you can set up iptables rules to route other ways (with other routing tables) the marked packets. It is clean, and a good functioning feature, but not really well documented. :-( – peterh May 06 '15 at 04:17 -
I'm a little bit confused by "set up iptables to change the routing table of the outgoing packets based on the UID of the sender process". Is there an iptables target that accomplishes this? I'm aware that
--uid-ownercan be used in the OUTPUT chain, but how would you have it select a different routing table? – Andrew B May 06 '15 at 05:02 -
@AndrewB I can't remember exactly, last time I did this around 5 years ago. But here is, what I did then. – peterh May 06 '15 at 05:04
-
Ah, okay. You're using iptables to mark the packets based on the uid criteria, and then instructing iproute2 to select routing tables via the
fwmarkoption ofip rule. Interesting approach, but definitely maddening to troubleshoot without documentation. – Andrew B May 06 '15 at 05:10 -
I found a doc: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html – kev May 09 '15 at 11:08
0
Yet See my example here uidrange routing table
-
While at the moment, that link may point to an answer, due to how often such information end up being less/no longer accessible, we prefer to have substantial explanation in the answer here, even when that or expanded information is also available behind a link. – anx Aug 05 '23 at 01:41
default gatewayglobally. – kev May 06 '15 at 04:08