Skip to content

Intika-Linux-Firewall/App-Route-Jail

master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

App-Route-Jail

Tweaks to force application-specific routing on linux using SO_MARK, advanced routing, LD_PRELOAD and file namespace mounting. It allows to route packets generated by socket-based application (almost any) using specicifed routing table. Supports application-specific DNS name resolution by substituting a modified resolv.conf for a namespace the app is running.

Full usage pattern to change default route and name servers for a specific program is the following:

ip rule add fwmark 10 table 100
ip route add default via 192.168.2.1 table 100
echo "nameserver 192.168.2.1" > /tmp/resolv.conf.2
newns sh -c "mount -n --bind /tmp/resolv.conf.2 /etc/resolv.conf; MARK=10 LD_PRELOAD=mark.so wget http://example.com"

this will launch wget with default gateway set to 192.168.2.1 and default nameserver set to 192.168.2.1

Compilation instructions are inside the sources. OpenWrt package makefile included.

Force an application to use a specific network interface

We need to find what gateway the network interface is using then force that gateway to our jailed application and thus force the application to bind to a specific network interface

  • How to find the interface gateway (there are many solution to find the gateway here are some commands that permit to find the used gateway)
$ route
$ route -n
$ ip rule list
$ ip route show
$ netstat -rn
$ cat /etc/network/interfaces
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
$ traceroute www.google.com
$ ip route show 0.0.0.0/0 dev eth0

Per application gateway

  • Build App-Route-Jail
git clone https://github.com/Intika-Linux-Network/App-Route-Jail.git
cd App-Route-Jail
chown 755 make.sh
./make.sh
  • Add a route for the future marked packets (for the jailed application) in this example 192.168.1.1 is used as the forced gateway, this route rule wont affect other applications, this manipulation have to be done only once at the system boot for instance if you want to use this solution daily
ip rule add fwmark 10 table 100
ip route add default via 192.168.1.1 table 100
  • Start the application that you want to jail
MARK=10 LD_PRELOAD=./mark.so firefox
  • Testing the wan IP address
MARK=10 LD_PRELOAD=./mark.so wget -qO- ifconfig.me

Note

This application require root or SO_MARK capabilities http://man7.org/linux/man-pages/man7/capabilities.7.html

About

Tweaks to force application-specific routing on linux (based on grandrew/approute-utils)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published