Using a different network interface for a specific application
#1 By injecting a custom library
We can use ld_preload function to force the interface gateway with App-Route-Jail
Step 1: the gateway
We need to find what gateway the network interface is using then force that gateway to our jailed application and thus force the application to bind to a specific network interface
- How to find the interface gateway (there are many solution to find the gateway here are some commands that permit to find the used gateway)
$ route
$ route -n
$ ip rule list
$ ip route show
$ netstat -rn
$ cat /etc/network/interfaces
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
$ traceroute www.google.com
$ ip route show 0.0.0.0/0 dev eth0
Step 2: per application gateway
- Build App-Route-Jail
git clone https://github.com/Intika-Linux-Network/App-Route-Jail.git
cd Approute-Utils
chown 755 make.sh
./make.sh
- Add a route for the future marked packets (for the jailed application) in this example
192.168.1.1is used as the forced gateway, this route rule wont affect other applications, this manipulation have to be done only once at the system boot for instance if you want to use this solution daily
ip rule add fwmark 10 table 100
ip route add default via 192.168.1.1 table 100
- Start the application that you want to jail
MARK=10 LD_PRELOAD=./mark.so firefox
- Testing the wan IP address
MARK=10 LD_PRELOAD=./mark.so wget -qO- ifconfig.me
#2 By using the Kernel’s namespace feature through firejail
Firejail https://firejail.wordpress.com/ can force an application to use a specific network, like the following example:
firejail --dns=8.8.8.8 --net=eth0 --ip=192.168.1.1
#3 Alternative:
Additional information on the matter are availables on this SU QA.