Re: iptables and policy based routing together

[Shaun Savage <savages@savages.com>]

> My problem is I have Virtual Private Servers, VPS in different 
> locations around the world.  I have created a mesh by using openvpn.  
> Each VPS phones home and sets up a TCP connection  to my RT-AC68U 
> running Tomato Shibby 128. I want to route, without thinking, to the 
> different VPS depending upon the country.  Then that VPS is now my 
> exit node.  I also run Tor on each VPS.
>
> The VPNs are setup and working. I have added a filter on INPUT that 
> only allows sessions to initiate from home.
>
> # iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
>
> This prevents someone who accesses the VPS to get in to my home network.
>
> Next I have setup marking packets according to country
> CN = 86
> IN = 91
> RU = 7
> so on
>
> # iptables -t mangle -m geoip  --dst-cc CN,HK -j MARK --set-mark 86
> # iptables -t mangle -m geoip  --dst-cc IN -j MARK --set-mark 91
> .....
>
> * BTW how do I debug what fwmark is set?
>
> Now I start adding rules
>
> # ip rule add fwmark 86 table CN
> # ip rule add fwmark 91 table IN
> ......
>
> Now type
>
> # ip rule show
> 0:    from all lookup local
> .....
> 32763:
> 32764:    from all fwmark 0x5B lookup IN
> 32765:    from all fwmark 0x56 lookup CN
> 32766:    from all lookup main
> 32767:    from all lookup default
>
> Now I get lost, to me this states only if fwmark == 0x56 use table CN 
> else do not use table CN
>
> I have played with adding routing to the tables
> # ip route add <gw> dev <tunxx> table CN
> # ????