* [LARTC] Trouble selecting network interface by port
@ 2006-12-29 23:40 Björn Lindström
0 siblings, 0 replies; 2+ messages in thread
From: Björn Lindström @ 2006-12-29 23:40 UTC (permalink / raw)
To: lartc
I have a connection to the Internet (on eth1), and over this I also
have a PPTP tunnel set up (on ppp0). Temporarily I use the (slower)
PPTP tunnel for everything, but I really just have to use it for some
specific purposes, which are distinguishable by port.
So, I want to direct only some specific ports to ppp0, using eth1 for
the rest.
I have tried following the instructions on
http://lartc.org/howto/lartc.netfilter.html
CONFIG_IP_ADVANCED_ROUTER, CONFIG_IP_MULTIPLE_TABLES and
CONFIG_IP_ROUTE_FWMARK is enabled in the kernel.
I have added the line "201 tunnel.out" to /etc/iproute2/rt_tables .
After the PPTP tunnel comes up, the following is run.
$TUNNEL is the PPTP tunnel (ppp0), and $EXTIF my regular WAN interface (eth1).
# Open firewall for the tunnel.
iptables -A FORWARD -i ${TUNNEL} -o eth0 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o ${TUNNEL} -j ACCEPT
iptables -t nat -A POSTROUTING -o ${TUNNEL} -j MASQUERADE
# Mark packets that should be routed through the tunnel
iptables -A PREROUTING -i ${EXTIF} -t mangle -p tcp --dport 80 \
-j MARK --set-mark 1
# Generate route for the tunnel
ip rule add fwmark 1 table tunnel.out
ip route add default dev ${TUNNEL} table tunnel.out
I'm testing this with port 80 so that I can check the result by
running a script that returns my IP on a remote server.
After doing all this, the remote server still sees my as the IP for
eth1. Can anyone see what I have overlooked here?
Thank you,
Björn Lindström
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] Trouble selecting network interface by port
@ 2007-01-09 2:41 Grant Taylor
0 siblings, 0 replies; 2+ messages in thread
From: Grant Taylor @ 2007-01-09 2:41 UTC (permalink / raw)
To: lartc
On 12/29/06 17:40, Björn Lindström wrote:
> # Mark packets that should be routed through the tunnel
> iptables -A PREROUTING -i ${EXTIF} -t mangle -p tcp --dport 80 \
> -j MARK --set-mark 1
<snip>
> I'm testing this with port 80 so that I can check the result by
> running a script that returns my IP on a remote server.
>
> After doing all this, the remote server still sees my as the IP for
> eth1. Can anyone see what I have overlooked here?
It looks like you are marking packets that are inbound on your external
interface. Did you perhaps mean to mark packets inbound on your
internal interface and thus outbound from your system?
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-01-09 2:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-12-29 23:40 [LARTC] Trouble selecting network interface by port Björn Lindström
-- strict thread matches above, loose matches on Subject: below --
2007-01-09 2:41 Grant Taylor
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.