[SOLVED] iptables mark incoming pkg to send out to specific eth

scorp1o · 02-09-2011, 02:55 PM

I have a box behind a router(m0n0wall) which itself is running an ftp service, web service and SSH service. I do port forwards from the m0n0wall router to that box (box ip 192.168.1.20). I've recently setup a VPN client aswell and here is the problem.

I want incoming traffic on specific ports 22,443 on that box to be passed out the same way as they came in, namely eth0. The VPN connection is ppp0 and is set as default eth device(!). Can it be done in the following way?

Adding a mark rule to mark packages with destination ports 9091, 443 and 22

Code:

 $iptables -t mangle -A PREROUTING -p tcp -i eth0 -m multiport --dport 9091,443,22 -j MARK --set-mark 85

Routing tables

Code:

$cat /etc/iproute2/rt_tables
255     local
254     main
253     default
0       unspec
85      special

192.168.1.1 is the gateway adress (router)

Code:

$ip route show table 85
192.168.1.0/24 dev eth0  scope link 
default via 192.168.1.1 dev eth0

Code:

$ip rule
0:      from all lookup local
32765:  from all fwmark 0x55 lookup special
32766:  from all lookup main
32767:  from all lookup default

I'm doing this remote from another location, so don't want to make errors (I've already had my share of those

)

Am I missing something or does this look correct?
Any help is appreciated!

rafatmb · 02-10-2011, 10:05 AM

Hi,

That should work.

Don't forget to create the iptables filter rules on FORWARD to accept forwarding these packets.

scorp1o · 02-10-2011, 03:21 PM

Quote:

Originally Posted by rafatmb

Hi,

That should work.

Don't forget to create the iptables filter rules on FORWARD to accept forwarding these packets.

Hey rafatmb, thanks for your reply!
Do you mean something like this:

Code:

$iptables -t filter -A FORWARD -m mark --mark 0x55 -j ACCEPT

Or what should it be?

I can't seem to get this to work unfortunately.
I see that I have several packages (and bytes) marked when i run

Code:

$iptables -n -t mangle --list -v

My default routing table:

Code:

$route -n
xxx.xxx.158.2   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
xxx.xxx.158.2   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
xxx.xxx.240.0   192.168.1.1     255.255.255.0   UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0

As you can see i have ppp0 as my default internet device in this table, together with my first post I thought this would be enough to get it working, but apparently not

Anyone that can help?

scorp1o · 02-13-2011, 03:41 PM

Please anyone that can help?

Still seeing a lot of packages being marked by the rule

Code:

$iptables -t mangle -A PREROUTING -p tcp -i eth0 -m multiport --dport 9091,443,22 -j MARK --set-mark 85

but it does not seem to use the route in my special table =(

scorp1o · 02-17-2011, 02:42 PM

Bump..

Still haven't got this to work, anyone have any ideas?

scorp1o · 02-18-2011, 08:34 AM

I've solved it, I used the wrong chain for what i wanted to achieve, this rule did solve it in the end for me:

Code:

iptables -t mangle -A OUTPUT -p tcp -m multiport --sport 22,9091,26999,26000:26100 -j MARK --set-mark 0x55

Since I have portforwards into the box (with above ports), they have to find the same way out as they came in and that is what the rule above does, via the mark rule and then fwmark matching my special table (85).