Re: [gentoo-user] Force app to use specific outgoing ip address? - gentoo-user

From:	Walter Dnes <waltdnes@××××××××.org>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Force app to use specific outgoing ip address?
Date:	Sat, 19 May 2007 02:40:33
Message-Id:	`20070519023522.GA14527@waltdnes.org`
In Reply to:	[gentoo-user] Force app to use specific outgoing ip address? by Crayon Shin Chan

1

On Mon, May 14, 2007 at 06:45:18PM +0800, Crayon Shin Chan wrote

2

> I have a gateway machine with a single NIC but several virtual IP

3

> addresses. I have several instances of apache running, each bound to

4

> listen on their own virtual IP address. All the instances of apache are

5

> running in proxy mode. What is happening now is that all the apache

6

> instances use the 'main' IP address for all outgoing connections.

7

>

8

> What I would like is for each instance of apache to use their own virtual

9

> IP address for outgoing connections. Is it possible to rig iptables to

10

> achieve this? And how would I do this?

11

12

  Can you...

13

  - create a bunch of dummy users (nobody0, nobody1, nobody2, etc)

14

  - and launch each apache instance as a different user

15

16

  If so, you can take advantage of netfilter/iptables ability to match

17

on user.  Run just like now, but forward packets to a different address

18

based on owner.  Here's the help info from "make menuconfig"...

19

20

| CONFIG_IP_NF_MATCH_OWNER:                                               |

21

|                                                                         |

22

| Packet owner matching allows you to match locally-generated packets     |

23

| based on who created them: the user, group, process or session.         |

24

|                                                                         |

25

| To compile it as a module, choose M here.  If unsure, say N.            |

26

|                                                                         |

27

| Symbol: IP_NF_MATCH_OWNER [=y]                                          |

28

| Prompt: Owner match support                                             |

29

|   Defined at net/ipv4/netfilter/Kconfig:296                             |

30

|   Depends on: NET && INET && NETFILTER && IP_NF_IPTABLES                |

31

|   Location:                                                             |

32

|     -> Networking                                                       |

33

|       -> Networking support (NET [=y])                                  |

34

|         -> Networking options                                           |

35

|           -> Network packet filtering framework (Netfilter) (NETFILTER  |

36

|             -> IP: Netfilter Configuration                              |

37

|               -> IP tables support (required for filtering/masq/NAT) (I |

38

39

--

40

Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1

41

Q. Mr. Ghandi, what do you think of Microsoft security?

42

A. I think it would be a good idea.

43

--

44

gentoo-user@g.o mailing list

1	On Mon, May 14, 2007 at 06:45:18PM +0800, Crayon Shin Chan wrote
2	> I have a gateway machine with a single NIC but several virtual IP
3	> addresses. I have several instances of apache running, each bound to
4	> listen on their own virtual IP address. All the instances of apache are
5	> running in proxy mode. What is happening now is that all the apache
6	> instances use the 'main' IP address for all outgoing connections.
7	>
8	> What I would like is for each instance of apache to use their own virtual
9	> IP address for outgoing connections. Is it possible to rig iptables to
10	> achieve this? And how would I do this?
11
12	Can you...
13	- create a bunch of dummy users (nobody0, nobody1, nobody2, etc)
14	- and launch each apache instance as a different user
15
16	If so, you can take advantage of netfilter/iptables ability to match
17	on user. Run just like now, but forward packets to a different address
18	based on owner. Here's the help info from "make menuconfig"...
19
20	\| CONFIG_IP_NF_MATCH_OWNER: \|
21	\| \|
22	\| Packet owner matching allows you to match locally-generated packets \|
23	\| based on who created them: the user, group, process or session. \|
24	\| \|
25	\| To compile it as a module, choose M here. If unsure, say N. \|
26	\| \|
27	\| Symbol: IP_NF_MATCH_OWNER [=y] \|
28	\| Prompt: Owner match support \|
29	\| Defined at net/ipv4/netfilter/Kconfig:296 \|
30	\| Depends on: NET && INET && NETFILTER && IP_NF_IPTABLES \|
31	\| Location: \|
32	\| -> Networking \|
33	\| -> Networking support (NET [=y]) \|
34	\| -> Networking options \|
35	\| -> Network packet filtering framework (Netfilter) (NETFILTER \|
36	\| -> IP: Netfilter Configuration \|
37	\| -> IP tables support (required for filtering/masq/NAT) (I \|
38
39	--
40	Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1
41	Q. Mr. Ghandi, what do you think of Microsoft security?
42	A. I think it would be a good idea.
43	--
44	gentoo-user@g.o mailing list

Gentoo Archives: gentoo-user