We have received requests for a feature similar to "Remote Desktop IP Virtualization" (used by Microsoft and Citrix). In short, it makes all outgoing connections for a single user go through a separate IP address. This would make it easy to pinpoint which user is (ab)using the network by referencing the IP<->User assignments, as well as allowing use of services that only allow one connection from each IP in a terminal server environment.
The solution presented in http://serverfault.com/questions/236721/bind-process-or-user-to-specific-ip-linux looks to be a good start: >> iptables -t nat -A POSTROUTING -m owner --uid-owner user1 -j SNAT --to-source 192.168.1.2 >> iptables -t nat -A POSTROUTING -m owner --uid-owner user2 -j SNAT --to-source 192.168.1.3 >> iptables -t nat -A POSTROUTING -m owner --uid-owner user3 -j SNAT --to-source 192.168.1.4 > > It is your responsibility to make sure that (a) you are not > otherwise using the POSTROUTING nat chain, so these rules don't > conflict with anything else, and (b) all these IP addresses are > present on your NIC (you won't hear many replies otherwise). > > This will also only affect traffic originating locally from > processes owned by these users. If these are users are setting up > network listening daemons, a different approach will be needed to > handle replies, and if the server is acting as a router, this will > not work; but you did not say that either of these circumstances > applied, so I have not addressed the issues.
The solution presented in comment #2 would of course only work on Linux. Solaris might have to do without this feature when/if we implement it.
This is out of scope for ThinLinc.
