[Firewall] Regarding marking of packets and routing tables

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu May 9 14:15:27 CEST 2013

Hi Alex,

What kind of VPN is this ?  Possibly an OpenVPN client on your box connecting to an OpenVPN server ?


On May 9, 2013, at 4:59 AM, Alex Aune wrote:

> Hi there,
> I'm not all that familiar with iptables, so I have to say arno's firewall script has been a big help so far. Lately though I've had to get my hands a bit dirty but I'm still rather new at this.
> What I'm working on is a rather hackish script to dynamically redirect traffic to specific hosts over a VPN interface based on whether or not the connection is up but I'm having some trouble with it. So far, on the machine running the firewall and the vpn tunnel, packets generated locally are correctly marked and routed over the tun0 interface. However, traffic from LAN hosts is not.
> For clarity's sake, this is the relevant portion the script:
> ip route add default via "${VPN_GW}" dev "${VPN_IF}" table vpn
> ip route add "${LAN}" via "${LAN_GW}" dev "${LAN_IF}" table vpn
> ip rule add fwmark "${MARK}" table vpn
> ip route flush cache
> # This probably isn't necessary when VPN_IF is specified in EXT_IF in firewall.conf
> iptables -A FORWARD -i "${LAN_IF}" -o "${VPN_IF}" -j ACCEPT
> iptables -A FORWARD -i "${VPN_IF}" -o "${LAN_IF}" -j ACCEPT
> # The following rule loops a bunch of times to add a few hosts
> iptables -t mangle -A OUTPUT -d "${HOST}" -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -m mark --mark "${MARK}" -j CONNMARK --save-mark
> iptables -t nat -A POSTROUTING -o "${VPN_IF}" -j MASQUERADE
> When the vpn connection goes up, traffic from the LAN to $HOSTs is still routed out on the internet interface. I've tried adding the $HOST rules to the filter table instead and adjusting the connmark rules to no avail.
> What am I doing wrong? Any pointers?
> Regards,
> Alex

More information about the Firewall mailing list