Bind unix program to specific network interface

For Linux, this has already been answered on Superuser - How to use different network interfaces for different processes?.

The most popular answer uses an LD_PRELOAD trick to change the network binding for a program, but modern kernels support a much more flexible feature called 'network namespaces' which is exposed through the ip program. This answer shows how to use this. From my own experiments I have done the following (as root):

# Add a new namespace called test_ns
ip netns add test_ns

# Set test to use eth0, after this point eth0 is not usable by programs
# outside the namespace
ip link set eth0 netns test_ns

# Bring up eth0 inside test_ns
ip netns exec test_ns ip link set eth0 up

# Use dhcp to get an ipv4 address for eth0
ip netns exec test_ns dhclient eth0

# Ping google from inside the namespace
ip netns exec test_ns ping www.google.co.uk

It is also possible to manage network namespaces to some extent with the unshare and nsenter commands. This allows you to also create separate spaces for PIDs, users and mount points. For some more information see:

  • Reliable way to jail child processes using `nsenter:`
  • Namespaces in operation

I'm accepting Graeme's answer; this is simply a follow up to explain the changes I did to his suggestion to solve my issue.

Instead of binding the physical interface inside the namespace, I created a virtual network interface pair, with one end in the network namespace and one in the root. Packages are then routed via this virtual network from the namespace, to the root namespace and then to the physical interface. - As such I'm able to run all my ordinary data transfers, and in addition start processes which can only access a specific interface.

# Create the eth0 network namespace
ip netns add eth0_ns

# Create the virtual network pair
ip link add v_eth0a type veth peer name v_eth0b

# Move v_eth0a to the eth0_ns namespace, the virtual pair is now split
# between two network namespaces.
ip link set v_eth0a netns eth0_ns

# Configure the ends of the virtual network pairs
ip netns exec eth0_ns ifconfig v_eth0a up {{NAMESPACE_IP}} netmask {{NAMESPACE_NETMASK}}
ifconfig v_eth0b up {{ROOT_NS_IP}} netmask {{ROOT_NS_NETMASK}}

# Setup routing from namespace to root
ip netns exec eth0_ns route add default gw {{ROOT_NS_IP}} dev v_eth0a

# Setup IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s {{ROUTE_SOURCE}}/24 -o {{NETWORK_INTERFACE}} -j SNAT --to-source {{ROUTE_TARGET}}

Once the interfaces has been setup for eth0 and eth1, with their respective namespaces eth0_ns and eth1_ns, programs can be executed on the specified interface via;

ip netns exec eth0_ns fish
ip netns exec eth1_ns fish

Solution I: Preloading a specific library

  • App-Route-Jail: use ld_preload to force the interface gateway (great idea but require root or marks capabilities) usage is detailed on notes bellow

  • Proxybound: use ld_preload to force a proxy to a specific application (this is using proxy instead of interface)

  • Force-Bind: have a lot of features but the bind leaks (not reliable)

  • Bind-Interface-IP: too simple and leak connections (not reliable)

  • Bind-IP: way too simple and leak connections (not reliable)

Solution II: Linux userspace

  • Classic linux user space ip-netns: great solution but require root and interface can only exist on one single user space

  • Firejail: Firejail can force an application to use a specific network, but the compatibility is limited (example it is not compatible with tun interfaces). firejail does not require root firejail --dns=8.8.8.8 --noprofile --net=eth0 --ip=192.168.1.1 app-command

  • Firejail with netns: Firejail can force an application to use a specific user space that was created separately, this let us name spaces without root firejail --dns=8.8.8.8 --noprofile --netns=nameOfyourNS app-command

  • Firejail with masquerade and bridge: Firejail can force an application to use a specific interface with iptables masquerade, this is great and does not require root but this require ip_forward and could imply security impact firejail --net=br0 firefox

Solution III: Linux iptables

Iptables could be used for this purpose but this require ip_forward and could imply security impact if its not correctly configured, example 1, example 2, example 3, example 4

Solutions (I, II & III) notes:

Wireguard

If you are using a VPN (especially wireguard) and you want to apply this solution to a wireguard interface (wireguard with user space) you can follow the linked instructed to create a user space containing a wg interface (and thus limited to a vpn interface) also this can be combined with firejail --netns=container to be able to use the user space without root.

How to find the interface gateway

There are many solution to find the gateway here are some commands that permit to find the used gateway

$ route
$ route -n
$ ip rule list
$ ip route show
$ netstat -rn
$ cat /etc/network/interfaces
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
$ traceroute www.google.com
$ ip route show 0.0.0.0/0 dev eth0

How to use App-Route-Jail

  • Build App-Route-Jail
git clone https://github.com/Intika-Linux-Network/App-Route-Jail.git
cd Approute-Root-Jail
chmod 755 make.sh
./make.sh
  • Add a route for the future marked packets (for the jailed application) in this example 192.168.1.1 is used as the forced gateway, this route rule wont affect other applications, this manipulation have to be done only once at the system boot for instance if you want to use this solution daily
ip rule add fwmark 10 table 100
ip route add default via 192.168.1.1 table 100
  • Start the application that you want to jail
MARK=10 LD_PRELOAD=./mark.so firefox

MARK=10 LD_PRELOAD=./mark.so wget -qO- ifconfig.me

Tags:

Routing

Network Interface

Recent Posts