routing based on app / iptables

[WHiZ]

hello. im trying to follow this tutorial { viewtopic.php?t=175765 } that provides per-app routing based on the user acct it's run under. the concept being i only want some traffic to go over a vpn while other traffic is direct.

the problem occurs when running it however that it errors on the lines that mention tale 42 in the up.sh. i'm assuming syntaxes may have changed seeing how long ago this was written. can anyone tell me how to make the firewall rules work, or if you have a diff better solution let me know.

for example the following line:

ip route add default via $(ifconfig -a tun0 | grep -o 'P-t-P:[^ ]*' | cut -d : -f 2) table 42
Error: any valid address is expected rather than "table".

[redlined]

hi WHiZ,

On quick look things should work.. did you replace example info with your infos though?

Replace 192.168.1.0/24 with your own address, assuming it's any different.
Also, replace the instances of "vpn" if you're using a different user, and replace tun0 if you're using a different interface

#!/bin/sh
iptables -t mangle -I OUTPUT -m owner --uid-owner vpn -j MARK --set-mark 42
iptables -t mangle -I OUTPUT -d 192.168.1.0/24 -m owner --uid-owner vpn -j RETURN
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
ip rule add fwmark 42 table 42

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done;

ip route add default via $(ifconfig -a tun0 | grep -o 'P-t-P:[^ ]*' | cut -d : -f 2) table 42

chgrp vpn $XAUTHORITY
chmod 640 $XAUTHORITY

most likely it is tun0 (run ifconfig in terminal to verify (when your VPN is running). also, if you followed his guide to letter then user = vpn should be fine, so make sure you have correct address on that second IPtables line.

If this isn't working you might consider "proxify" VPN and point apps you want through VPN only to use proxy address (if supported by app)

[WHiZ]

btw i did go through this again as you suggested. i had stuck with his vpn acct name and network etc, so all of it is the same. any other ideas?

i cant do proxy, as even tho most apps support it i found it was still leaking stuff across the normal network.

[redlined]

btw i did go through this again as you suggested. i had stuck with his vpn acct name and network etc, so all of it is the same. any other ideas?

i cant do proxy, as even tho most apps support it i found it was still leaking stuff across the normal network.

Replace 192.168.1.0/24 with your own address, assuming it's any different

is your check for address results: 192.168.1.0/24

run this command to know for sure if you should use that:

Code: Select all

echo -n $(ip route show | grep "default" | cut -d \  -f 3 | cut -d \. -f 1-3) && echo ".0/24"

(change the part in second iptables line to the result from that command if different, say to 10.0.0.0/24 for example)