# 'Separating 2 gw functionally' problem [SOLVED]

## salmonix

Hi there, 

I need some help to solve the following scenario:

Given a PCbox with 4 NICs (also a router and a firewall). They are:

eth0 - connected directly to the NET via a modem. It gets dynamic IP from the ISP and defined as default gw

eth1 - living on subnet 192.168.5.0, and also connected to the NET via a router (simply saying), and defined as gw for the subnet via 192.168.5.1 (the router)

Rest of the NICs are other LAN NICS, not important here.

Now, I would like to restrict some applications to listen to eth1 only and do traffic via that card - something like having 2 default gw: everything related to eth1 should be directed to 192.168.5.1, even if it is about reaching the outer world - eg. contacting a server out there or opening pages.

All the rest of apps should use eth0 to reach the net, as normal.

This is the present routing situation:

 *Quote:*   

> Kernel IP routing table
> 
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 
> 192.168.5.0     192.168.5.1     255.255.255.0   UG    0      0        0 eth1
> ...

 

----------

## luispa

You may try it using the "user id" and iptables mangle. 

First, create a secondary routing table:

```
echo "200 MyTable" >> /etc/iproute2/rt_tables

ip route del 192.168.5.0/24 dev eth1 table MyTable

ip route add 0.0.0.0/0 via 192.168.5.1 table MyTable

```

Now, let's say you have a user which user id is 1500, then you force that each packet generated by such user will be marked with 1500, and that every packet market as such has to look first in this second routing table.

```
iptables -A OUTPUT -t mangle -m owner --uid-owner 1500 -j MARK --set-mark 1500  

ip rule add fwmark 1500 table MyTable

```

BTW, what you want is the option --pid-owner <processid>. I tried it in the past without success. Try yourself anyway, and report if you have success.

Luis

----------

## salmonix

'm on it...

----------

## salmonix

The solutions are described here:

http://linux-ip.net/html/adv-multi-internet.html

http://www.linuxquestions.org/questions/linux-networking-3/iptablesmarking-ip-rule-add-fwmark-1-table-200-ip-route-add-via-gw-table-200-500369/

An most probably this

http://lartc.org/howto/lartc.netfilter.html

I think luispa's problem is using the wrong chain : should be PREROUTING instead of OUTPUT.

----------

## luispa

Hi, the problem I had was with "-m owner --pid-owner <n>" not working. Long I ago I tried it without sucess, no matter which CHAIN. 

I've re-tried today but seen that this option has been removed from iptables. 

Luis

----------

## salmonix

 *luispa wrote:*   

> Hi, the problem I had was with "-m owner --pid-owner <n>" not working. Long I ago I tried it without sucess, no matter which CHAIN. 
> 
> I've re-tried today but seen that this option has been removed from iptables. 
> 
> Luis

 

Its man page states that -m owner --uid-owner etc. are valid in OUTPUT chain only and I see the 'owner' extension option in menuconfig - probably you have to explicitly mark it (2.6.2x kernel I use) and recompile the kernel. It is there at least for me.

The ideas above work partially, at least outgoing traffic is now routed to the desired destination. Unfortunately it is in OUTPUT chain and thus its source IP is set to main table default gw - so the packages go out one direction and would come back on an other, but it is silly for the apps are watching the output NIC only. (Checked with iptraf)

----------

