How to configure linux to use different DNS depending on the user?

Question

There is Ubuntu 16.04, the task: to forward all traffic through TOR (including DNS queries), but leaving the possibility of direct access to the Internet (through a separate browser or an individual user)

Forwarding traffic made by this instruction. I also installed privoxy and added a couple of lines to the script from the instruction that tell iptables to pass all traffic from privoxy processes directly.

Here is a script turned out

#!/bin/sh ### set variables #your internal interface _int_if="eth0" #the UID that Tor runs as (varies from system to system) _tor_uid="121" #Clearnet UIDs (All traffic from that UIDs will accepted) _privoxy_uid="122" _clearnet_uid="1001" #Tor's TransPort _trans_port="9040" #Tor's DNSPort _dns_port="5353" #Tor's VirtualAddrNetworkIPv4 _virt_addr="10.192.0.0/10" #LAN destinations that shouldn't be routed through Tor _non_tor="127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" ### Don't lock yourself out after the flush #iptables -P INPUT ACCEPT #iptables -P OUTPUT ACCEPT ### flush iptables iptables -F iptables -t nat -F ### set iptables *nat #nat .onion addresses iptables -t nat -A OUTPUT -d $_virt_addr -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $_trans_port #nat dns requests to Tor iptables -t nat -A OUTPUT -d 127.0.0.1/32 -p udp -m udp --dport 53 -j REDIRECT --to-ports $_dns_port #don't nat the Tor OR PRIVOXY process, the loopback, or the local network iptables -t nat -A OUTPUT -m owner --uid-owner $_tor_uid -j RETURN iptables -t nat -A OUTPUT -m owner --uid-owner $_privoxy_uid -j RETURN iptables -t nat -A OUTPUT -m owner --uid-owner $_clearnet_uid -j RETURN iptables -t nat -A OUTPUT -o lo -j RETURN iptables -t nat -A OUTPUT -d 10.0.0.0/8 -j RETURN iptables -t nat -A OUTPUT -d 127.0.0.0/8 -j RETURN iptables -t nat -A OUTPUT -d 172.16.0.0/12 -j RETURN iptables -t nat -A OUTPUT -d 192.168.0.0/16 -j RETURN #redirect whatever fell thru to Tor's TransPort iptables -t nat -A OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports $_trans_port ### set iptables *filter #*filter INPUT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT #Don't forget to grant yourself ssh access for remote machines before the DROP. #iptables -A INPUT -i $_int_if -p tcp --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -j DROP #*filter FORWARD iptables -A FORWARD -j DROP #*filter OUTPUT #possible leak fix. See warning. iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT #allow only the Tor AND PRIVOXY processes output iptables -A OUTPUT -m owner --uid-owner $_tor_uid -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT iptables -A OUTPUT -m owner --uid-owner $_privoxy_uid -p tcp -m tcp -m state --state NEW -j ACCEPT iptables -A OUTPUT -m owner --uid-owner $_clearnet_uid -p tcp -m tcp -m state --state NEW -j ACCEPT #allow loopback output iptables -A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT #tor transproxy magic iptables -A OUTPUT -d 127.0.0.1/32 -p tcp -m tcp --dport $_trans_port --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT #allow access to lan hosts in $_non_tor #these 3 lines can be ommited for _lan in $_non_tor; do iptables -A OUTPUT -d $_lan -j ACCEPT done #Log & Drop everything else. iptables -A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid iptables -A OUTPUT -j DROP #Set default policies to DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

Eventually:

The system has the DNS server address set to 127.0.0.1.
The iptables rule redirects requests to 127.0.0.1:53 to 127.0.0.1. De3535 (Torus DNS Service)
A separate browser is configured to use Privoxy local proxy (privoxy traffic goes directly)

And everything seems to be working, but there is a problem. DNS queries always go through TOR (even with the privoxy process), and this creates problems: there is no access to the local resources of the provider. This is important, for example, when you need to log in to your personal account from a 3G modem and replenish your account there (if there is no money in the account, you do not have access to the external Internet, which means that the DNS torus cannot function).

Those. it is necessary in certain cases to use DNS other than the system one. The best solution would be to create an iptables rule, which would be to send requests for 127.0.0.1:53 from privoxy processes to 8.8.8.8:53, or somehow tell the browser or individual user to use third-party DNS. How to do it?

And the option to register in /etc/hosts correspondence of local resources with their IP does not suit you?
But if you want to redirect requests to 5353 only from Privoxy, what is your problem?
You also have the _privoxy_uid parameter in the script and an example of its use in the underlying rule.
In my opinion, the problem is in order, REDIRECT should be after RETURN

How to configure linux to use different DNS depending on the user?

0

More articles: