Skip to main content

Force an application to use VPN, using iptables in Linux

Enforcing an application, for example a torrent client like Transmission, to always use the VPN interface or any particular network interface for that matter, is trivially simple using iptables on Debian, Ubuntu or any other GNU/Linux distro.
Personally, I am running Debian Sid on the Raspberry Pi. Occasionally I use it for downloading files ( legal stuff, seriously, believe me :D  ) using Transmission Bittorrent client over a VPN connection. Sometimes it happens that the VPN connection fails and doesn't reconnect for whatever reason and Transmission continues pulling stuff directly over my internet connection, which I would like to avoid. Fortunately it is very straightforward to enforce rules based on application owner UID. Transmission runs under the owner debian-transmission in Debian (use htop to check this) and the following two lines of iptables ensures that any process with owner having UID, debian-transmission, will not use any other network interface apart from the OpenVPN tunnel interface tun0

pi@sam-berry ~ $ sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission -d 192.168.0.100 -j ACCEPT
pi@sam-berry ~ $ sudo iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT

The first line ensures that, my Mac-mini having IP address 192.168.0.100 on the lan, can always access the web interface of transmission. The second line makes sure, no outgoing traffic can leave via anything other that tun0. 
Peace of mind restored, thanks to iptables.

Comments

Unknown said…
I am trying to accomplish the very same thing in Ubuntu 12.04 and this seems like a very simple solution.

Unfortunately, issuing this command closes Transmission's listening TCP port and also prevents Chromium from connecting.

I'd appreciate any advice you might have!

Andy
Sambit said…
That's a bit strange.

The rule should only apply to processes with owner "debian-transmission".

You can list the iptables rules using

sudo iptables -L

and check whether the rule was created successfully.
Jannik Winkel said…
Thank you, that was very helpful.
Also I unblocked my whole local network with
iptables -A OUTPUT -m owner --uid-owner torrent -d 192.168.178.0/24 -j ACCEPT
Hey all, I'm trying to force Transmission to use VPN only on Debian Wheezy but something seems to be different. Here is what I get when trying the following:

root@debian:/etc# iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT
iptables v1.4.14: owner: Bad value for "--uid-owner" option: "debian-transmission"
Try `iptables -h' or 'iptables --help' for more information.

Any ideas?

Thanks!!
Hey all, I'm trying to force Transmission to use VPN only on Debian Wheezy but something seems to be different. Here is what I get when trying the following:

root@debian:/etc# iptables -A OUTPUT -m owner --uid-owner debian-transmission \! -o tun0 -j REJECT
iptables v1.4.14: owner: Bad value for "--uid-owner" option: "debian-transmission"
Try `iptables -h' or 'iptables --help' for more information.

Any ideas?

Thanks!!
Sambit said…
Hi McRae,

Seems like for some reason, iptables is failing to perform a username lookup.
Manually find out the numeric uid of debian-transmission from the /etc/passwd file (should be the third field in the row).
Then try the iptables command, replacing "debian-transmission" with its equivalent numeric userid.
Hope it helps.
Thanks for the reply Sambit! When I look at the /etc/passwd file it contains no mention of "trans", but I can post the file in its entirety if that will help. Using the following command, would it be --uid-owner 1000?

root@debian:/home/jwhitakermcrae# ps aux | grep trans
1000 26718 2.4 0.1 437028 21376 ? Sl 10:48 0:00 transmission-gtk
root 26727 0.0 0.0 7828 880 pts/1 S+ 10:49 0:00 grep trans

Thanks for the help!!
Chris said…
Hi,

when adding both rules to my system I get no connection anymore. I have forwarded one Port from my VPN-ISP (AirVPN) and set the same port to my transmission. Transmission says that the port is "closed". Also it seems not to be able to connect to the tracker. It just gets the message "Announce Error - Could not connect to tracker."
Any suggestions whats going wrong here?

I am using Ubuntu 12.04.4 LTS.
Chris said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Some more fun with SSH port forwarding and socks proxy

Few days ago I made the following post:

Prologue: Our Institute has several nice Dual Core Machines deployed for the students. Unfortunately the machines are behind a NAT with no port forwarded for external SSH access. Student's hostel is a bit far off from the computational centre. As such if someone felt the need of accessing the machines during non-office hours, it was a wee bit difficult. The sysadmin would not have agreed to forward any ports. Something had to be done....

SSH has a very useful feature - Remote and Local Port Forwarding. We have an old rickety PIII running Ubuntu 8.04.1 in the Hostel, it is connected to the net and is accessible via SSH from the internet. Using a tiny little shell script running on one of the machines in the Institute, I managed to make the old PIII an intermediate gateway for gaining SSH access to the Institute's machines from anywhere in the internet. The script is of few lines, but nevertheless powerful enough to serve our purpose.

#!/bin/…

Raspberry Pi -- Installing Samba (Windows Share) File server

Having successfully run Debian Wheezy on my Raspberry Pi, I went forward with my initial idea of setting up a low cost power efficient file server for accessing my external hard disks from my Windows7 desktop, HP-Mini running Ubuntu and Mac Mini running OS X Lion (yeah I do like bragging about my machines :D ).

This turned out to be pretty straight forward.

As expected, the external Seagate USB disk immediately got recognized and appeared as /dev/sda
[ 579.948350] usb 1-1.2: New USB device found, idVendor=0bc2, idProduct=3001 [ 579.948384] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 579.948405] usb 1-1.2: Product: FreeAgent [ 579.948421] usb 1-1.2: Manufacturer: Seagate [ 579.948447] usb 1-1.2: SerialNumber: 2GEX323R [ 579.967638] scsi0 : usb-storage 1-1.2:1.0 [ 580.970520] scsi 0:0:0:0: Direct-Access Seagate FreeAgent 102D PQ: 0 ANSI: 4 [ 589.142942] sd 0:0:0:0: [sda] 1953525168 512-byte logical blocks: (1.00 TB/931 GiB) [ 589.144669] sd…