OpenWrt Forum Archive

Topic: ping/mtr/ect as other user than root

The content of this topic has been archived on 29 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
knuddel
1 Oct 2013, 20:35

Hello,

I set up another user next to root on my OpenWRT router. I wanted it to act as a monitoring user for different traffic routing. I routed the specific traffic for the user like this:

iptables -t mangle -N TUNMARK
iptables -t mangle -A TUNMARK -j MARK --set-mark 2
iptables -t mangle -A TUNMARK -j CONNMARK --save-mark
iptables -t mangle -N RESTOREMARK
iptables -t mangle -A RESTOREMARK -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -p TCP -m state --state NEW -m owner --uid-owner 1001 -j TUNMARK
iptables -t mangle -A OUTPUT -p TCP -m state --state ESTABLISHED,RELATED -m owner --uid-owner 1001 -j RESTOREMARK

Where 1001 is the uid of that user.

But when I ssh with that user, I cannot use any kind of tools like ping, traceroute or mtr, because it seems just root can use them on an OpenWRT build:

ping: permission denied (are you root?)

How can I fix this without messing up the whole system or creat security leaks? Is there a better way doing this maybe?

(Last edited by knuddel on 1 Oct 2013, 20:40)

Post #2
eigma
2 Oct 2013, 04:16

ping is usually setuid on most Linux systems:
$ ls -l $(which ping)
-rwsr-xr-x 1 root root 35,712 Nov  8  2011 /bin/ping

That way it runs as root for any logged in user.

On OpenWRT ping is just a link to busybox:
# ls -l $(which ping)
lrwxrwxrwx    1 root     root             7 Sep  5 00:24 /bin/ping -> busybox

and you definitely don't want to make all of busybox setuid.

You could consider setting up sudo on your OpenWRT system. I don't know if this is common or even if there's a package for it.

Post #3
knuddel
2 Oct 2013, 19:16

Hello, thanks a lot for your answer, it doesnt happen often you get a get answer here, so thanks a lot for taking the time.

I am not a Linux pro, so I didnt know that. I read myself just into what "setuid" is, and what it does. And I now understand, that ping, tracroute and also mtr requiers t be run as root, because they need some raw socket access if I understand it right, thought I dont know why only root this can do.

So my problem wouldnt be solved with sudo, I also installed it btw on my router and tried it out. Of course it's no use for my problem, because it will me just let run these tools under other users, but always as root.

Maybe I should have had asked the topic differently, heres what I wanted to do, like I also wrote about:

I have two VPN connections on my router, tun0 and tun1. Also two ISP connections, one over the WAN port of my router, connected to a cable modem, and the other via NAT of another router.

So I want to be able to use ping/mtr/traceroute of all 4 connections. How do I do this, if they all run as root and I cant mangle them this way? Ping works fine if used for the tun devices via -i tun0/1, default always is wan, but I have no way of forcing the traffic through the 4th connection which uses an SNAT. How do I do this?

Post #4
eigma
4 Oct 2013, 04:38

> ping, tracroute and also mtr requiers t be run as root, because they
> need some raw socket access if I understand it right, thought I dont
> know why only root this can do.
Because raw socket access lets programs inject packets at a lower level, which may be malicious to other devices on the network. So normally only root can do this.

> I have two VPN connections on my router, tun0 and tun1. Also two
> ISP connections, one over the WAN port of my router, connected to a
> cable modem, and the other via NAT of another router.
Can you show your interfaces and routing table? Output of 'ifconfig -a' and 'route -n'?

Post #5
knuddel
4 Oct 2013, 16:41 
br-lan    Link encap:Ethernet  HWaddr xxx
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: xxx Scope:Link
          inet6 addr: xxx/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8706628 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11009992 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2360761768 (2.1 GiB)  TX bytes:10652644648 (9.9 GiB)

eth0      Link encap:Ethernet  HWaddr xxx
          inet6 addr: xxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6055650 errors:0 dropped:2 overruns:37 frame:0
          TX packets:7663821 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2272390195 (2.1 GiB)  TX bytes:1908438678 (1.7 GiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr xxx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6055635 errors:0 dropped:56 overruns:0 frame:0
          TX packets:7663815 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2163387551 (2.0 GiB)  TX bytes:6172749181 (5.7 GiB)

eth1      Link encap:Ethernet  HWaddr xxx
          inet addr:188.xx.xx.xx  Bcast:188.xx.xx.255  Mask:255.255.248.0
          inet6 addr: xxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10859819 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5184398 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1900943481 (1.7 GiB)  TX bytes:1894894437 (1.7 GiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1348 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1348 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:130092 (127.0 KiB)  TX bytes:130092 (127.0 KiB)

tap0      Link encap:Ethernet  HWaddr xxx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:96026 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:12678070 (12.0 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
-00
          inet addr:172.xx.xx.xx  P-t-P:172.xx.xx.xx  Mask:255.255.248.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:10544 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6256 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:12943744 (12.3 MiB)  TX bytes:651833 (636.5 KiB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
-00
          inet addr:172.xx.xx.xx  P-t-P:172.xx.xx.xx  Mask:255.255.248.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr xxx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2654639 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3452243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:236137404 (225.1 MiB)  TX bytes:269036016 (256.5 MiB)

root@wndr:~#
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         188.xxx.xxx.xxx 0.0.0.0         UG    0      0        0 eth1
172.xx.xx.0     0.0.0.0         255.255.248.0   U     0      0        0 tun0
172.xx.xx.0     0.0.0.0         255.255.248.0   U     0      0        0 tun1
188.xx.xx.0    0.0.0.0         255.255.248.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
root@wndr:~#
Post #6
eigma
5 Oct 2013, 02:03

Ok, so for br-lan, eth1, tun0, tun1, you can force traffic through those interfaces using ping -I.

What was the 4th case? I think you mentioned an SNAT? Can you describe the network setup in more detail?

Post #7
knuddel
5 Oct 2013, 16:28

Actually br-lan is the 4th case, which isnt working. ping -I tun0/tun1/eth1 works fine. But doing a ping -I br-lan results in the problem waiting for a receive and nothing happens. My config for this 4th case is:

ip rule add fwmark 4 table vpn3
ip route add default via 192.168.1.2 dev br-lan table vpn3
iptables -t nat -A POSTROUTING -o br-lan -j SNAT --to 192.168.1.1
iptables -t mangle -A PREROUTING -s 192.168.1.11 -j MARK --set-mark 4

Where 1.11 is a client behind the router. This works without any problem. But how would I be able to use the 1.2 NAT on the router itself? ping -I br-lan ... doesnt work.

192.168.1.2 is the other router, 192.168.1.1 is br-lan on th OpenWRT router. 192.168.1.11 is a client behind the OpenWRT router.

(Last edited by knuddel on 5 Oct 2013, 16:29)

Post #8
eigma
5 Oct 2013, 18:29

Seems the OpenWRT (busybox) ping doesn't have this, but on my Ubuntu machine, ping has a "-m mark" parameter:

       -m mark
              use  mark to tag the packets going out. This is useful for vari‐
              ety of reasons within the kernel such as using policy routing to
              select specific outbound processing.

Maybe you can get a full-featured ping and run 'ping -m 4 <ip>'?

Post #9
eigma
5 Oct 2013, 18:30

You can also cheat and designate a remote IP as being your "1.2 test IP" and add it to the main routing table. For example to use 4.2.2.1:

route add -host 4.2.2.1 gw 192.168.1.2

and then any traffic to 4.2.2.1 will go through your second router. But that's a bit of a hack.

Post #10
knuddel
5 Oct 2013, 18:45

And then? How do I use that virtual host for the source of ping/mtr ect.

root@wndr:~# ping -I 4.2.2.1 heise.de
PING heise.de (193.99.144.80) from 4.2.2.1: 56 data bytes
ping: can't set multicast source interface

That doesnt work.

Also I rather dont want to use ping, I want to use mtr, traceroute and so on, ping is just a basic example.

(Last edited by knuddel on 5 Oct 2013, 18:53)

Post #11
eigma
5 Oct 2013, 18:58

No, I mean, 4.2.2.1 is the *destination*. Because basic routing works by looking at the destination. So you can say that for 4.2.2.1, the first hop should be through 192.168.1.2.

route add -host 4.2.2.1 gw 192.168.1.2
ping 4.2.2.1  # without any -I, will go through 192.168.1.2

Post #12
knuddel
5 Oct 2013, 19:10

And? /: What does that help? Sorry, I am really a noob in this. How do I use that? What is my goal in pinging 4.2.2.1??

Post #13
eigma
5 Oct 2013, 19:55

I thought you were just trying to check the connection through the second router. Otherwise, does the client 1.11 have internet access through 1.2?

Post #14
knuddel
5 Oct 2013, 20:05

Then I could just ping 192.168.1.2 anyway...? I want to check the routing between the 1.2 internet to SOME internet point... from the 1.1 router.

Of course the 1.11 has... but I dont have access to that client.

(Last edited by knuddel on 5 Oct 2013, 20:06)

Post #15
eigma
5 Oct 2013, 20:06

I think I see what you're trying to do.

Can you do 'ping -I br-lan <ip>' and show the output of 'tcpdump -nlpi br-lan' while you do this?

Post #16
knuddel
5 Oct 2013, 20:10

Whats the command for logging it to a file, also tcpdump -nlpi br-lan is too bright, it would spam thausands of lines in a few seconds. How to I filter it to that specific event.

Post #17
eigma
5 Oct 2013, 20:17

Add a protocol filter:
tcpdump -nlpi br-lan icmp

Post #18
knuddel
5 Oct 2013, 20:27

It triggers no event when I ping.

Post #19
eigma
5 Oct 2013, 20:52

Hmm, but you said it works with tun0? It should be the same case.

Do you know how to use IRC? It might be easier to debug this via chat. I'm on freenode in #openwrt, same nickname.

Post #20
knuddel
5 Oct 2013, 22:37

blub bla bla blub, i tried several hours to open a chat with you there, you didnt accept. anyway...

ive added a tap device for this maybe thats easier and I could use ping -I tap1:

ip tuntap add tap1 mode tap
ip link set tap1 up
ip addr add 4.2.2.1/24 dev tap1

but how do I route all traffic now initiated FROM tap1 <-> to GO OVER the other router?

(Last edited by knuddel on 6 Oct 2013, 01:54)

Post #21
eigma
6 Oct 2013, 05:51

You don't want a separate interface.. you want a way to tell the kernel that you want certain packets to go to a certain gateway, different from the default.

Did you try to get a full-featured ping and then 'ping -m 4'?

Edit: on IRC, send me a private message and I'll reply when I'm around. Sorry, I think our times won't align very well, I'm in UTC-4.

(Last edited by eigma on 6 Oct 2013, 05:53)

Post #22
knuddel
6 Oct 2013, 18:12

Please just tell me how to do this "but how do I route all traffic now initiated FROM tap1 <-> to GO OVER the other router?", how to set a gw for a specific interface.

I am not getting another ping, I wouldnt even know where and how to compile it than for mips, because like I said I dont want to use ping. And like I said, I tried several hours to open a DCC chat with you, you never accepted. But anyway, dcc chats never worked for me, I think you have to open a port for them to work or something.

(Last edited by knuddel on 6 Oct 2013, 20:12)

Post #23
eigma
6 Oct 2013, 20:12

You can't initiate traffic "from" tap1 - either the traffic is from some other machine connected on tap1, or the traffic is from the local machine. "ping -I tap1" means to generate traffic from the local machine and send it *out* on tap1.

I think it would help if you looked at the way Linux handles network traffic. Here is a good diagram:
http://www.cs.unh.edu/cnrg/people/gherr … tth_sEc2.1

In the "Application generates network traffic" you need to somehow mark the traffic so that the "Looks up route destination" looks at that mark and chooses a specific destination. "ping -I tun0" is one way, and says to always send the traffic *out* on tun0. "ping -m 4" is another way, which means to place a fwmark on the application traffic, and then in the lookup, look at the fwmark and choose a destination.

Try adding a default gateway on br-lan with a higher metric than the default gateway on eth1. Then by default traffic should still go on eth1 but you might be able to chose br-lan using "-I br-lan". But you said you don't want to use ping or mtr, so does the application that you really want to use have a -I flag?

You need to do more debugging and trials on your own. While pinging, start "tcpdump" on br-lan and eth1 and see on which interface packets are going out. Adjust the routing tables. Try deleting the default gateway on eth1 and send all traffic through br-lan.

Sorry about the DCC chat, like I said, send me a private message or on #openwrt and I will reply when I am on IRC. If our time zones don't match, there's not much I can do about that..

Post #24
knuddel
6 Oct 2013, 20:16

Try adding a default gateway on br-lan with a higher metric than the default gateway on eth1. Then by default traffic should still go on eth1 but you might be able to chose br-lan using "-I br-lan". How do I do this.

If our time zones don't match, there's not much I can do about that.. o0 I am here, right? I was yesterday there, right. So how are we even on "different time zones"....

Also isnt there maybe a way of creating a "local client" on the router which acts as a simulated client.

(Last edited by knuddel on 6 Oct 2013, 20:18)

The discussion might have continued from here.