You can use policy routing together with owner
match (iptables) or skuid
/skgid
(nftables), and run those programs under different users.
- Add different nexthops to different tables:
ip route add default via 192.0.2.1 table 101
ip route add default via 192.0.2.2 table 102
ip route add default via 192.0.2.3 table 103
- Add rules to use them based on firewall mark:
ip rule add fwmark 1 lookup 101
ip rule add fwmark 2 lookup 102
ip rule add fwmark 3 lookup 103
- Add firewall rules to assign those marks to packets based on socket owner:
nft add rule filter output meta skuid 1001 mark set 1
nft add rule filter output meta skuid 1002 mark set 2
nft add rule filter output meta skuid 1003 mark set 3
or
iptables -A OUTPUT -m owner --uid-owner 1001 -j MARK --set-mark 1
iptables -A OUTPUT -m owner --uid-owner 1002 -j MARK --set-mark 2
iptables -A OUTPUT -m owner --uid-owner 1003 -j MARK --set-mark 3
Now, programs which are run under UID 1001 will be routed through 192.0.2.1
, and so on.
LD_PRELOAD
or chroot or a VM or something.