You are not logged in.
I have a working SSH server set up. I would like to be able to have my VPN enabled on that server, but when it's enabled, it modifies the `iptables` rules (and maybe more) to route all outgoing traffic via the VPN. So instead of the SSH outbound packets going back via the route they came, they get sent via the VPN. This makes it impossible to SSH into that server when the VPN is enabled, as any clients won't receive their return packets via the expected channels.
I am very new to all of this networking stuff, but I've been told that setting up policy-based routing for traffic on my SSH port might be able to solve this problem. I've found this seemingly useful example, but it's not specifically for port-based policies, and there's enough that I don't yet understand in that article that I'm not able to act on it. Most other articles I've found seem to be written for networking professionals.
Is anyone able to give me a rundown on the different steps I'll have to take and components I'll be dealing with when setting up policy-based routing for SSH traffic?
Thank you so much!
Last edited by hoWlExat (2019-12-02 07:23:38)
Offline
I had the same issue,
I spent literally hours learning nftables and ulogd, only to do this super easily another way.
sudo ip route add default via 192.168.19.1 table 10
sudo ip rule add sport 65500 table 10
sudo ip route flush cache
ip rule show
resources I used:
http://linux-ip.net/html/tools-ip-rule.html
Now gotta add this so that it survives a reboot
Offline
Ok so to be concise for you users of the future,
# add a default route to some table, arbitrarily table 10 but you can use whatever number (RTFM)
sudo ip route add default via 192.168.19.1 table 10
# add a rule for the return traffic from your ssh host (I changed my ssh port to this port, so my remote client is expecting traffic back on this port, you probably want to set port 22)
sudo ip rule add sport 65500 table 10
# self explanatory
sudo ip route flush cache
#check out your fancy new rule
ip rule show
And to make this persistent across reboots, add to:
/etc/systemd/network/20-wired.network
(or whatever your file there is, add the following to the bottom)
[Route]
Gateway=192.168.19.1
Table=10
[RoutingPolicyRule]
SourcePort=65500
Table=10
Offline