From mboxrd@z Thu Jan 1 00:00:00 1970 From: Wang Jian Date: Wed, 06 Apr 2005 11:23:59 +0000 Subject: Re: [LARTC] UDP port 1194 marking/routing problem Message-Id: <20050406191312.027E.LARK@linux.net.cn> List-Id: References: <0b6701c53a96$8ef69fc0$6e69690a@RIMAS> In-Reply-To: <0b6701c53a96$8ef69fc0$6e69690a@RIMAS> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi Remus, It seems that iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \ --set-mark 0x990 will not take effect. (didn't you typo -A as -D?) POSTROUTING is looked up after routing decision is made. Because the default route is dev eth1, the output device is eth1, -o eth0 will not match. You should use iptables -t mangle -A PREROUTING -p udp --destination --dport 1194 -j MARK .... But I don't think you need to use MARK to do policy routing. It's a little overkill. Why not simply route all traffic to your openvpn peer via device eth0? On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" wrote: > > Hi folks, > > I have OpenVPN (respect for it developers) running on my FW. > Is has two external NICs and on internal everything is fine, except > I want OpenVPN (UDP port 1194) going not via default route/network interface. > > I use such commands: > > iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j MARK --set-mark 0x990 > ip rule add fwmark 0x990 table openvpn1 > ip route add default via $P2 dev eth0 table openvpn1 > > eth0 is FW's not default external NIC. > > I have in use very similar iptables rules for my email server (TCP ports) and etc. > Everything works fine. > What I'm doing wrong with marking/routing the UDP port? > > Regards > > Remus > -- lark _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc