Port based routing

tkalfaoglu · 06-10-2022, 11:53 PM

Hello. I have a dilemma. I would like most ports to go over my VPN connection, and one port to go over directly. the gateways are 10.8.0.5 and 192.168.1.60 respectively.

I so far did this:

Code:

# more /etc/rt_tables 
(...)
1       vpn
2       bitnet

and wrote a script that has:

Code:

iptables -A PREROUTING -t mangle -i enp6s0 -p tcp --dport 30890  -j MARK --set-mark 2
iptables -A PREROUTING -t mangle -i enp6s0 -p udp  --dport 30890 -j MARK --set-mark 2
ip route add 10.8.0.5 dev tun0
ip route add 192.168.1.60 dev enp6s0
ip route add default via 10.8.0.5 dev tun0       table vpn
ip route add default via 192.168.1.60 dev enp6s0 table bitnet
ip rule add from all fwmark 1 table vpn
ip rule add from all fwmark 2 table bitnet

I am missing something. After running it nothing can be pinged or reached, even the gateways do not answer to pings. I feel I need to add something to table bitnet so that it's used for "everything else" but how do I formulate that?

ferrari · 06-11-2022, 08:27 PM

You currently have

Code:

iptables -A PREROUTING -t mangle -i enp6s0 -p tcp --dport 30890  -j MARK --set-mark 2
iptables -A PREROUTING -t mangle -i enp6s0 -p udp  --dport 30890 -j MARK --set-mark 2

For outgoing packets use the OUTPUT chain (PREROUTING is for incoming packets)...

Code:

iptables -A OUTPUT -t mangle -i enp6s0 -p tcp --dport 30890  -j MARK --set-mark 2
iptables -A OUTPUT -t mangle -i enp6s0 -p udp  --dport 30890 -j MARK --set-mark 2

Useful reference:
https://stackunderflow.dev/p/iptables-for-routing/

You should only have one default gateway so remove

Code:

ip route add default via 192.168.1.60 dev enp6s0 table bitnet

and use

Code:

ip route add 0.0.0.0/1 via 192.168.1.60 dev enp6s0 table bitnet