Hello LQ people, been getting white hair with this, hope someone can help me.
So my setup is: I have 2 servers, they're linked with a vpn using 10.1.0.x ips. Both are directly on the net with a public IP. So both have 2 interfaces eth0 and tun0.
I set up one of the server to act as router with nat, request sent to it are redirected through vpn to the other server. Until there all work great.
Now the problem is, the other server will send answers to the net (through eth0) since it's the default route. I got it working fully by replacing the default gateway with the VPN one (i.e. 10.1.0.1), however this is annoying since it prevents directly connecting to the server from the net.
So I decided to set up policy routing with packet marking (http://www.debian-administration.org...Policy_routing
Now this is where it starts to be fun. Iptables has a rule to catch all packets with source "10.1.0.6" and mark them. Then there is a "fwmark" entry in ip rules to catch it and redirect it to a specific table.
table is as follow:
10.1.0.1 dev tun0 scope link
default via 10.1.0.1 dev tun0
That is for the situation. Now the problem:
# done from the target server
ping -I 10.1.0.6 linuxquestion.org
Works fine. But if I do:
# done from a random computer external to network
telnet NATSERVERIP PORT
it fails. And if I use tcpdump I can see the packets properly arriving through tun0, but sent back through eth0.
tun0: (dont mind timestamp not from same batch)
20:47:57.108498 IP 10.1.0.6 > X.X.X.X: ICMP echo request, id 58387, seq 4, length 64
20:47:57.136775 IP X.X.X.X > 10.1.0.6: ICMP echo reply, id 58387, seq 4, length 64
20:49:03.164488 IP X.X.X.X.34657 > 10.1.0.6.9000: S 674528219:674528219(0) win 5840 <mss 1368,sackOK,timestamp 6146680 0,nop,wscale 6>
21:55:58.921525 IP 10.1.0.6.9000 > X.X.X.X.34414: S 3516043788:3516043788(0) ack 2055095368 win 5792 <mss 1460,sackOK,timestamp 30904896 7127002,nop,wscale 7>
in summary why:
Mar 26 20:47:57 server kernel: iptables-testIN= OUT=eth0 SRC=10.1.0.6 DST=X.X.X.X LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=58387 SEQ=4
is routed properly. While
Mar 26 20:49:13 server kernel: iptables-testIN= OUT=eth0 SRC=10.1.0.6 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=9000 DPT=34657 WINDOW=5792 RES=0x00 ACK SYN URGP=0
is routed through eth0, knowing both are marked.
Thanks anyone who can give me a clue !
PS: both servers are running under debian 5 lenny.