PBR with iptables

0

I know question was answered multiple times, but this situation a bit different.

So here is what I have:

  • All users must user default gateway on eth0, except one
  • That one must only use gateway on eth1 and must not under any circumstances use eth0

Separately this things easy to implement, but together... With setup it mostly works: 1002 user goes via eth1 and goes nowehere if it's not available. However, some hosts are still routed via eth0. I have no idea why.

Here is my setup:

user@localhost:~$ ip rule

0:  from all lookup local
1000:   from all fwmark 0x5 lookup 5
2000:   from all fwmark 0x5 lookup 6
32766:  from all lookup main
32767:  from all lookup default`


user@localhost:~$ ip route list table 5
0.0.0.0/1 via 10.10.0.185 dev eth1


user@localhost:~$ ip route list table 6

blackhole 0.0.0.0/1


user@localhost:~$sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT


user@localhost:~$ sudo iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE


user@localhost:~$ sudo iptables -t mangle -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A OUTPUT -m owner --uid-owner 1002 -j MARK --set-xmark 0x5/0xffffffff
debian
iptables
routing
policy-routing
asked on Server Fault Aug 4, 2014 by Andoriyu

1 Answer

2

You specified a route of 0.0.0.0/1. This subnet consists of 0.0.0.0 through 127.255.255.255 inclusive. It's not at all clear why you would want to only route half of the possible IP addresses. I suspect you meant to route all of it (e.g. 0.0.0.0/0) instead.

answered on Server Fault Aug 4, 2014 by Michael Hampton • edited Apr 13, 2017 by Community

User contributions licensed under CC BY-SA 3.0