From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Remus" Date: Wed, 06 Apr 2005 11:54:53 +0000 Subject: Re: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem Message-Id: <0be701c53a9f$723675f0$6e69690a@RIMAS> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi Wang, We specialy got two Internet connections, one is only for the OpenVPN (it is heavily used) and second for everthing else. I will give a try to PREROUTING stuff right away. What do mean : But I don't think you need to use MARK to do policy routing. It's a little overkill. Do you another suggestion than iptables/MARK? Regards Remus ----- Original Message ----- From: "Wang Jian" To: Cc: "Remus" ; Sent: Wednesday, April 06, 2005 12:23 PM Subject: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem > Hi Remus, > > It seems that > > iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \ > --set-mark 0x990 > > will not take effect. (didn't you typo -A as -D?) > > POSTROUTING is looked up after routing decision is made. Because the > default route is dev eth1, the output device is eth1, -o eth0 will not > match. > > You should use > > iptables -t mangle -A PREROUTING -p udp --destination peer> --dport 1194 -j MARK .... > > But I don't think you need to use MARK to do policy routing. It's a > little overkill. > > Why not simply route all traffic to your openvpn peer via device eth0? > > > On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" wrote: > >> >> Hi folks, >> >> I have OpenVPN (respect for it developers) running on my FW. >> Is has two external NICs and on internal everything is fine, except >> I want OpenVPN (UDP port 1194) going not via default route/network >> interface. >> >> I use such commands: >> >> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j >> MARK --set-mark 0x990 >> ip rule add fwmark 0x990 table openvpn1 >> ip route add default via $P2 dev eth0 table openvpn1 >> >> eth0 is FW's not default external NIC. >> >> I have in use very similar iptables rules for my email server (TCP ports) >> and etc. >> Everything works fine. >> What I'm doing wrong with marking/routing the UDP port? >> >> Regards >> >> Remus >> > > > > -- > lark > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_ide95&alloc_id396&op=click > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc