iptables: preroute outgoing packets from tun0 to eth0 ?
 

I have a strange problem.

I have ssh daemon running on my server (192.168.1.2, eth0).
Default gateway all traffic is 192.168.1.1 (my router).
Router has a public ip 123.123.123.123 and port 22222 is forwarding everything to my server (192.168.1.2) on port 22.

That is nothing special.
I just set port when I want to connect to my server from outside:

When I connect to a VPN server I get on tun0 device IP 10.0.2.3 (tun0). Default gateway is being changed to 10.0.2.1 and only connections to 192.168.1.0/24 are going through 192.168.1.1

That is absolutely OK because I want all connections to go through VPN.


This is where the problem begins:
When I now try to connect from outside (i.e. 1.2.3.4) to my server by using the above command connection is not being established. iptables log gave me the explanation:

1. incoming packets for server connection are coming through eth0

2. but outgoing packets from my server to 1.2.3.4 are going through VPN gateway (10.0.2.1, tun0) (because that is default gateway when VPN connection is active)


Any ideas how could I solve this? I could set one more route for IP 1.2.3.4 to force it to go through eth0 but 1.2.3.4 is a dynamic IP which I get on my 3G connection on my notebook.


I was thinking about prerouting/post outgoing packets on tun0 for port 22 to eth0 but I was not able to find anything for that in iptables. Is it even possible to solve it like that?


Could I maybe somehow add route on first incoming packet for this IP and delete it when the connection is gone?

Or is there some much elegant solution?

Thanks

OK, I was thinking too complicated. I made a ssh tunnel to my server:

and than I connect locally:



That is working pretty OK but is not a solution I like:
1. I have to keep open SSH port on my router
2. I have to connect twice (router + server)



So back to my original question: Is there a way to somehow force a service or iptables rule to a specific gateway?

Nobody has other ideas?