You are not logged in.
- Topics: Active | Unanswered
#1 2015-12-20 17:49:15
- msalerno
- Member
- Registered: 2014-08-15
- Posts: 32
iptables change default route based on port
Server: 192.168.10.10
- Only interface (enp1s0)
Internet Router: 192.168.10.1
VPN Router: 192.168.10.2
My server runs as a seedbox and a webserver. The default gateway on the server is through the VPN router. I want to have all http/https traffic route out through the internet router and due to the way DNS is setup all http/https traffic comes in via the internet router. I'm pretty sure it's going to take a combination of both IPTables and iproute2. I've been digging around for solutions but so far nothing has worked, i'm not very good at iptables.
ip route add default via 192.168.10.1 dev enp1s0 table 100
ip rule add fwmark 0x1 table 100
iptables -A OUTPUT -t mangle -o enp1s0 -p tcp --dport 80 -j MARK --set-mark 1
iptables -A OUTPUT -t mangle -o enp1s0 -p tcp --dport 443 -j MARK --set-mark 1Last edited by msalerno (2015-12-20 18:12:55)
Offline
#2 2015-12-20 18:49:27
- aiBo
- Member
- Registered: 2010-11-10
- Posts: 50
Re: iptables change default route based on port
You might use tcpdump to check if the packets are already routed correctly. They should have set the destination MAC address of the internet router.
# tcpdump -i enp1s0 -ne 'port (80 or 443)'Alternatively, you can also use tcpdump on the internet router and check if any relevant packets are coming in from the server.
If the packets of new connections are routed properly, the issue might be with the replies not being accepted or tagged again.
Please post the entire iptables ruleset for all tables that you added roules to.
Offline
#3 2015-12-21 15:46:17
- msalerno
- Member
- Registered: 2014-08-15
- Posts: 32
Re: iptables change default route based on port
Those are all I have for my iptables rules. I can confirm with tcpdump and the access.log that the packets are reaching the server. The problem is that the incoming packets come in via the internet router directly to the server, but outbound from the server they get routed via the VPN.
Offline
#4 2015-12-21 16:30:15
- msalerno
- Member
- Registered: 2014-08-15
- Posts: 32
Re: iptables change default route based on port
Is there a way to get a count of all marked packets?
Last edited by msalerno (2015-12-21 16:44:55)
Offline
#5 2015-12-21 18:01:19
- aiBo
- Member
- Registered: 2010-11-10
- Posts: 50
Re: iptables change default route based on port
If you install conntrack-tools from the extra repo, you can view the mark of connections.
If your server also serves http/https, you need additional two rules like the one you already have, with "--sport" instead of "--dport", so outgoing replies are marked correctly as well.
Offline
#6 2015-12-21 18:19:44
- msalerno
- Member
- Registered: 2014-08-15
- Posts: 32
Re: iptables change default route based on port
All inbound packets on port 80 & 443 are forwarded directly from the router to the server so i'm not worried about inbound. I'll check out the conntrack tools.
Thanks
Offline