Route eth2 TCP packets to tun0 with IPTABLES & IP RULE/ROUTE
Hi everyone,
I have 3 network interfaces on my Linux Router : Interface - Gateway - Type Code:
br0 - 192.168.0.1 - Internet If I delete all default routes and if I add a new route to tun0 like : Code:
route del default ---- Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. So the idea is to use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands : Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80 I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 :( they are all respecting the "route -n" rules... and not the "table 300" rule I have created. Can anyone help me on that point or tell me what's wrong with what I'm trying to achieve ? |
Considering your config, it has a problem that the your ip rule overrides the "main" routing table entirely, rather than only the default gateway - regardless, it should still work, given that "ip rule" by default inserts the rule after the "local" routing table (which is managed automatically).
I have also attempted to achieve the same thing, but with no success yet. It seems to be a bug in the "fwmark" match for "ip rule". Here's what I've put together so far: Code:
# Select numbers for special routing tables. Append to /etc/iproute2/rt_tables: |
Have you tried omitting the "dev" statement from "ip route add table 300 default via 10.0.0.2 dev tun0" and just give it the gateway IP?
- Tait |
Quote:
Code:
# Mark output packets too. |
Quote:
Code:
# Select numbers for special routing tables. Append to /etc/iproute2/rt_tables: |
All times are GMT -5. The time now is 02:48 AM. |