LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-16-2016, 03:52 AM   #1
canufrank
LQ Newbie
 
Registered: Jan 2016
Posts: 3

Rep: Reputation: Disabled
Angry Unable to implement port based selective routing


My router is set up (through it's UI) to do IP based selective routing. The following 4 code blocks are the default settings, where 192.168.0.46 routes through the VPN while all other clients use the ISP. The setup ensures that even if the VPN fails, the client will be blocked. Today, the ISP's public IP is 104.175.4.xxx and the VPN's is 172.98.67.yyy. All of this is working fine.

All LAN clients are on br0, the ISP is on eth0 and the VPN is on tun11.

policies:
Code:
# ip rule
0:      from all lookup local
1201:   from 192.168.0.46 lookup vpn1
32766:  from all lookup main
32767:  from all lookup default

# ip route show
104.175.4.1 dev eth0  scope link
172.98.67.yyy via 104.175.4.1 dev eth0
10.199.1.5 dev tun11  proto kernel  scope link  src 10.199.1.6
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.1
104.175.4.0/22 dev eth0  proto kernel  scope link  src 104.175.4.xxx
127.0.0.0/8 dev lo  scope link
default via 104.175.4.1 dev eth0

# ip route show table vpn1
104.175.4.1 dev eth0  scope link
10.199.1.5 dev tun11  proto kernel  scope link  src 10.199.1.6
172.98.67.yyy via 104.175.4.1 dev eth0
10.199.1.1 via 10.199.1.5 dev tun11
192.168.0.0/24 dev br0  proto kernel  scope link  src 192.168.0.1
104.175.4.0/22 dev eth0  proto kernel  scope link  src 104.175.4.xxx
127.0.0.0/8 dev lo  scope link
0.0.0.0/1 via 10.199.1.5 dev tun11
128.0.0.0/1 via 10.199.1.5 dev tun11
default via 10.199.1.5 dev tun11
filter, mangle, nat
Code:
# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
    1    28 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
   75  3999 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
53429 7651K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 3564  890K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
26277 2742K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmp !type 8
  303 43644 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   23  1472 ACCEPT     all  --  tun11  *       0.0.0.0/0            0.0.0.0/0
 192K   97M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state INVALID
    2   104 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
 1975  117K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 41242 packets, 9281K bytes)
 pkts bytes target     prot opt in     out     source               destination


###########################
# iptables -t mangle -L -vn
Chain PREROUTING (policy ACCEPT 113K packets, 61M bytes)
 pkts bytes target     prot opt in     out     source               destination
   16  1442 MARK       all  --  !eth0  *       0.0.0.0/0            104.175.4.xxx        MARK set 0xb400

Chain INPUT (policy ACCEPT 23450 packets, 3490K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 89414 packets, 57M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 20813 packets, 3632K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 110K packets, 61M bytes)
 pkts bytes target     prot opt in     out     source               destination



########################
# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 7096 packets, 537K bytes)
 pkts bytes target     prot opt in     out     source               destination
  305 36277 VSERVER    all  --  *      *       0.0.0.0/0            104.175.4.xxx

Chain INPUT (policy ACCEPT 5499 packets, 446K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4695 packets, 400K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 4695 packets, 400K bytes)
 pkts bytes target     prot opt in     out     source               destination
   17  1008 MASQUERADE  all  --  *      tun11   192.168.0.0/24      0.0.0.0/0
 1837  109K MASQUERADE  all  --  *      eth0   !104.175.4.xxx        0.0.0.0/0
    2   104 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0xb400

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
  303 36173 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination
As the title says, I wish to implement port based routing. Specifically, I would like ports 80,443 & 32400 on the normally VPN routed client (192.168.0.46) to travel over the ISP/WAN. A lot of reading and poking about led me to issue
Code:
#ip rule add from 192.168.0.46 fwmark 0x80 table main prio 999
#iptables -t mangle -A PREROUTING --src 192.168.0.46 -p tcp -m multiport --ports 80,443,32400 -j MARK --set-mark 0x80
#ip route flush cache
However, I can see no difference. It seems like all traffic on the client is still traversing the VPN. e.g. curl is using 80 or 443, but on the client
Code:
# curl ipecho.net/plain
172.98.67.yyy # the VPN's IP
 
Old 01-16-2016, 04:03 AM   #2
canufrank
LQ Newbie
 
Registered: Jan 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
ps, this is also being done prior
Code:
	for s in all tun11 $(nvram get wan_ifnames); do
		echo 0 >/proc/sys/net/ipv4/conf/$s/rp_filter
	done
 
Old 01-17-2016, 08:41 PM   #3
canufrank
LQ Newbie
 
Registered: Jan 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Is this the wrong forum for my question?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] routing based on port palt Linux - Networking 5 11-29-2012 06:22 AM
Routing based on destination port rvo Linux - Networking 9 01-11-2011 09:48 AM
ip routing based on port number. hansemmanuel Linux - Networking 4 10-02-2010 12:46 AM
Advanced routing based on outgoing port tenko20xx Linux - Networking 2 02-14-2009 11:18 AM
Port based routing neos Linux - Networking 1 09-21-2005 01:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration