[Firewall] Regarding marking of packets and routing tables

Alex Aune alex.aune at gmail.com
Thu May 9 11:59:04 CEST 2013

Hi there,

I'm not all that familiar with iptables, so I have to say arno's firewall
script has been a big help so far. Lately though I've had to get my hands a
bit dirty but I'm still rather new at this.
What I'm working on is a rather hackish script to dynamically redirect
traffic to specific hosts over a VPN interface based on whether or not the
connection is up but I'm having some trouble with it. So far, on the
machine running the firewall and the vpn tunnel, packets generated locally
are correctly marked and routed over the tun0 interface. However, traffic
from LAN hosts is not.

For clarity's sake, this is the relevant portion the script:
ip route add default via "${VPN_GW}" dev "${VPN_IF}" table vpn
ip route add "${LAN}" via "${LAN_GW}" dev "${LAN_IF}" table vpn
ip rule add fwmark "${MARK}" table vpn
ip route flush cache

# This probably isn't necessary when VPN_IF is specified in EXT_IF in
iptables -A FORWARD -i "${LAN_IF}" -o "${VPN_IF}" -j ACCEPT
iptables -A FORWARD -i "${VPN_IF}" -o "${LAN_IF}" -j ACCEPT

# The following rule loops a bunch of times to add a few hosts
iptables -t mangle -A OUTPUT -d "${HOST}" -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark --mark "${MARK}" -j CONNMARK
iptables -t nat -A POSTROUTING -o "${VPN_IF}" -j MASQUERADE

When the vpn connection goes up, traffic from the LAN to $HOSTs is still
routed out on the internet interface. I've tried adding the $HOST rules to
the filter table instead and adjusting the connmark rules to no avail.
What am I doing wrong? Any pointers?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130509/d7ae76ad/attachment.html>

More information about the Firewall mailing list