Score:0

Server

Best way to route traffic based on logged in user via specific redundant route?

MoWo

5/7/23, 5:13 PM

I have an Ubuntu 20.04 machine with 2 ethernet interfaces with 2 IP addresses each. It's an AWS EC2 instance and each of the 4 IP addresses has an EIP attached to it via NAT. Both interfaces connect to the same internal subnet. The setup looks like this:

EC2 Machine:

- eni1:

private-IP1 -> public-IP1
private-IP2 -> public-IP2

- eni2:

private-IP3 -> public-IP3
private-IP4 -> public-IP4

All 4 addresses are reachabale from the outside so that seems to be all fine. However for outgoing traffic currently always private-IP1 (and thus public-IP1) gets used. I want to specify that individual SSH users use specific IP addresses, so they'll come from the corresponding public IP when talking to services on the internet i.e.

user1 -> private-IP1

user2 -> private-IP2

user3 -> private-IP3

user4 -> private-IP4

What's the best way of achieving this result?

0 + 0

routing

ip-address

linux-networking

ubuntu-20.04

Zac67

5/7/23, 10:11 PM

Any chance you could run 802.1X? You could assign IP addresses based on RADIUS authentication.

MoWo

5/8/23, 8:59 AM

hmm, I guess it would be an option. Never worked with RADIUS authentication before. Are you aware of any resources I could check to get me started for this?

Zac67

5/8/23, 10:39 AM

No, sorry - requests for resources are off-topic here anyway. You should explore which options you've got an EC2. While a RADIUS server could be easily added, 802.1X needs to be provided by the cloud (unless you put a complete virtualization layer on top).

Score:1

Server

Tilman Schmidt

5/7/23, 7:46 PM

The best way to achieve that would be to clone the EC2 instance into four instances, assign each clone one IP address, and let each user use only the machine having the IP address he or she should use.

0 + 0

MoWo

5/7/23, 8:01 PM

Interesting approach but not what I'm looking for. I am planning on scaling this up to more IPs in the long run and deploying a fleet of instances just for this purpose seems wasteful and will create a lot of maintenance overhead.

Tilman Schmidt

5/7/23, 11:06 PM

Sorry, all other solutions I can think of will create even more maintenance overhead.

MoWo

5/8/23, 6:41 AM

But there must be a way to tell a linux kernel to make use of the different routes it has available. It works for traffic passing through the box, why should it not work for traffic originating in the box?

Tilman Schmidt

5/8/23, 2:09 PM

Of course there is. The difficulty is to make that routing decision dependent on the user ID. The traffic itself bears no information about the user who initiated it. Simply put, you'll have to create *and maintain* a mechanism to map UIDs to source IP addresses *and* to tell the networking stack to use it instead of its normal user-agnostic mechanism. Again, creating a separate instance for each user is by far the easiest way to achieve that.

MoWo

5/8/23, 2:21 PM

hmmm. I did try using -m owner in iptables to match traffic to the user, mark the packets and then use ip rules to map them to a specific routing table. Unfortunately it's not working so I was looking for alternatives... I still think it must be possible or that a workaround must exist. I just can't figure it out...

MoWo

5/8/23, 9:39 PM

I finally solved via a workaround. Thanks for the thoughts though!

Score:1

Server

MoWo

5/8/23, 9:46 PM

I finally solved this myself after pouring many hours into this. In the end I got it to work by adding an ip rule like so:

sudo ip rule add uidrange 1000-1001 lookup if1
sudo ip rule add uidrange 1002-1004 lookup if2

and then adding iptables postrouting rules like this:

$ sudo iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -o interface1 -m owner --uid-owner 1000 -j SNAT --to-source IP1
-A POSTROUTING -o interface1 -m owner --uid-owner 1001 -j SNAT --to-source IP2
-A POSTROUTING -o interface2 -m owner --uid-owner 1002 -j SNAT --to-source IP3
-A POSTROUTING -o interface2 -m owner --uid-owner 1003 -j SNAT --to-source IP3

with if1 and if2 being my custom route tables containing the corresponding default routes. Works well! Maybe this can be useful for someone in the future :)

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Best way to route traffic based on logged in user via specific redundant route?

TH: วิธีที่ดีที่สุดในการกำหนดเส้นทางการรับส่งข้อมูลตามผู้ใช้ที่เข้าสู่ระบบผ่านเส้นทางซ้ำซ้อนเฉพาะ

RO: Cel mai bun mod de a direcționa traficul pe baza utilizatorului conectat printr-o anumită rută redundantă?

RU: Лучший способ маршрутизировать трафик на основе вошедшего в систему пользователя по определенному избыточному маршруту?

VI: Cách tốt nhất để định tuyến lưu lượng dựa trên người dùng đã đăng nhập thông qua tuyến dự phòng cụ thể?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.