Optimizing Linux Traffic: A Comprehensive Guide to Dnsmasq & Ipset Routing Techniques

Hello there! Today, I’m going to demonstrate a unique way of routing with Linux tools. We'll learn how to direct traffic through different gateways based on its origin and destination. This can be handy for creating a double VPN, speeding up certain website loads, especially in regions with internet restrictions like China.

Key Tools We'll Use:

• Policy based routing
• Dnsmasq
• Ipset

Our setup will be on an Ubuntu Server 16.04. For demonstration purposes, I'll show how you can use a PPTP server (optional) to set up a double VPN for certain websites.

Network Setup:

A client, located in the network 192.168.5.0/24, connects via PPTP to our Ubuntu Server (192.168.6.1). Upon sending a request, the server checks the destination address. If the address is in our database, it routes to the gateway - router 1, with address 192.168.6.254. Otherwise, it uses the default gateway.

Implementation Steps:

1. Initial Configuration:

   • Go into superuser mode with

sudo su

• Update and install the necessary packages:

apt update
apt upgrade
apt install ipset dnsmasq

2. Setting Up Ipset:

   • Create a list for ipset with a possible timeout for entries:

ipset create to2ndSRV hash:ip

• If you need to manually add an address to the list, use:

ipset add to2ndSRV 8.8.8.8

• And for removal:

ipset del to2ndSRV 8.8.8.8

• To view the list:

ipset list to2ndSRV

3. Fine-tuning Dnsmasq:

• For adding resources that have many addresses, you can use dnsmasq. Configure dnsmasq by editing /etc/dnsmasq.conf and adding the necessary directives.

nano /etc/dnsmasq.conf

listen-address=127.0.0.1
listen-address=192.168.6.1
server=/ident.me/vk.com/127.0.0.1
ipset=/ident.me/vk.com/to2ndSRV

• The initial lines ensure dnsmasq doesn't reveal itself externally to avoid abuse reports. For consistency in address additions, DNS queries should route through dnsmasq. The simplest method is by setting our server (192.168.6.1) as the DNS server on the client.
• Restart dnsmasq:

/etc/init.d/dnsmasq restart

• Check that the addition of resources is working correctly:

host ident.me
ipset list

The output should be similar to (ident.me address should be added to the list):

Name: to2ndSRV
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 320
References: 0
Members:
176.58.123.25 timeout 3594

4. Traffic Routing:

   • To ensure traffic routes to the appropriate gateway based on the address in our list, edit the scripts for raising and lowering the interface, specifically, /etc/ppp/ip-up and /etc/ppp/ip-down.
   • If the second router is unavailable, the traffic should go directly via the default gateway. Thus, remember to edit both mentioned files appropriately.

nano /etc/ppp/ip-up

Add lines to the end of the file:

case "$5" in
        192.168.6.254)
        echo 2 > /proc/sys/net/ipv4/conf/$1/rp_filter
                       /sbin/ip route add default via 192.168.6.254 table 120
        /sbin/ip rule add fwmark 0x1 table 120 priority 1000
        ip route fush cache
        iptables -t mangle -A PREROUTING -s 192.168.5.0/24 -m set --match-set to2ndSRV dst -j MARK --set-mark 1
        iptables -t nat -A POSTROUTING -o $1 -j MASQUERADE
                ;;
        *)
esac

Some details about the script:

echo 2 > /proc/sys/net/ipv4/conf/$1/rp_filter — Disables the route policy filter. It's an undesirable line, but without it, things didn't work for me.

iptables -t mangle -A PREROUTING -s 192.168.5.0/24 -m set --match-set to2ndSRV dst -j MARK --set-mark 1 — Here, we add a mangle rule in iptables for packet marking. If the destination address is present in ipset, the packet is marked.

/sbin/ip route add default via 192.168.6.254 table 120 — We create a new routing table to direct traffic to our second router.

/sbin/ip rule add fwmark 0x1 table 120 priority 1000 — We add a rule to the created routing table, so marked packets are directed to our second router.

ip route flush cache — Clear the cache.

iptables -t nat -A POSTROUTING -o $1 -j MASQUERADE — We perform Network Address Translation (NAT) for traffic to our second router.

Edit second file:

nano /etc/ppp/ip-down

case $5 in
        192.168.6.254)
        ip rule delete fwmark 0x1 table 120 priority 1000
                ip route delete default via 192.168.6.254 table 120
                ip route flush cache
        iptables -t mangle -D PREROUTING -s 192.168.5.0/24 -m set --match-set to2ndSRV dst -j MARK --set-mark 1
                iptables -t nat -D POSTROUTING -o $1 -j MASQUERADE
                ;;
        *)
esac

5. Client and Router Setup:

   • Add a user for the client and second router by editing /etc/ppp/chap-secrets, and restart PPTP.

nano /etc/ppp/chap-sercets

test1   pptpd   testtest        192.168.5.100
srv     pptpd   testtest        192.168.6.254

/etc/init.d/pptpd restart

Testing:

After setup, connect with the client and router. From the client, perform a traceroute to a resource from your list. For instance, you might see that packets to a site like ident.me may pass through our gateway, whereas others might go directly.

traceroute to ya.ru (87.250.250.242), 30 hops max, 60 byte packets
 1  192.168.6.1 (192.168.6.1)  1.120 ms  1.064 ms  1.048 ms
 2  * * *
 3  192.168.55.1 (192.168.55.1)  4.209 ms  4.237 ms  4.233 ms
 4  10.45.0.1 (10.45.0.1)  6.014 ms  6.008 ms  6.285 ms

traceroute to ident.me (176.58.123.25), 30 hops max, 60 byte packets
 1  192.168.6.1 (192.168.6.1)  1.136 ms  1.171 ms  1.166 ms
 2  cs01.et-code.ru (192.168.6.254)  8.188 ms  8.183 ms  8.179 ms
 3  * * *
 4  192.168.55.1 (192.168.55.1)  26.074 ms  26.123 ms  26.119 ms
 5  10.45.0.1 (10.45.0.1)  30.085 ms  30.198 ms  30.195 ms

Conclusion:

This Linux-based routing method provides more flexibility in managing and directing your traffic, ensuring faster load times and overcoming region-based restrictions. It's a valuable tool for anyone looking to optimize their network's efficiency.