Redirect NAT Traffic of iptables to its source interface

cwdztsd88 · 04-08-2024, 11:11 AM

How to redirect NAT traffic of iptables to its source interface?
I am working on wireguard vpn structure that is exotic:
for every client that will request vpn session my server will create a unique interface dedicated to one client. Design is simple: Server is 10.0.0.1, client is 10.0.0.2
But...

PostUp = iptables -A FORWARD -i intfc -j ACCEPT; iptables -t nat -A POSTROUTING -o ens5 -j MASQUERADE
PostDown = iptables -D FORWARD -i intfc -j ACCEPT; iptables -t nat -D POSTROUTING -o ens5 -j MASQUERADE

This sometimes causes connectivity issues if more than one client dedicated interfaces exists and that causes confusion on routing. How to get around of it?. My idea is making NAT redirect its returning traffic from internet to be routed to source interface but dont have experience in iptables at all.

smallpond · 04-09-2024, 08:13 AM

iptables can send packets to a destination IP. Routing tables determine which interface that will be, not iptables. Have a look at iproute2 (policy based routing). https://lartc.org/howto/

cwdztsd88 · 04-09-2024, 04:37 PM

Thanks, reading right now. Will report progress.

cwdztsd88 · 04-12-2024, 03:45 PM

Update:I feel alienated. I always thought fowarding and routing was same many years since i didn't felt to engineer networking stuff.

cwdztsd88 · 04-13-2024, 02:47 AM

Quote:

Originally Posted by smallpond

iptables can send packets to a destination IP. Routing tables determine which interface that will be, not iptables. Have a look at iproute2 (policy based routing). https://lartc.org/howto/

Code:

sudo iptables -A PREROUTING -t mangle -p udp --dport 55210 -j MARK --set-mark 55210
sudo sh -c 'echo "200 wireguard.test" >> /etc/iproute2/rt_tables'
sudo ip rule add fwmark 55210 table wireguard.test
ip route add default via 10.0.0.2 dev wgutodf8 table wireguard.test

I did something like this but it didn't worked, where did i go wrong?