Hi Remus,
It seems that
iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
--set-mark 0x990
will not take effect. (didn't you typo -A as -D?)
POSTROUTING is looked up after routing decision is made. Because the
default route is dev eth1, the output device is eth1, -o eth0 will not
match.
You should use
iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
peer> --dport 1194 -j MARK ....
But I don't think you need to use MARK to do policy routing. It's a
little overkill.
Why not simply route all traffic to your openvpn peer via device eth0?
On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote:
>
> Hi folks,
>
> I have OpenVPN (respect for it developers) running on my FW.
> Is has two external NICs and on internal everything is fine, except
> I want OpenVPN (UDP port 1194) going not via default route/network interface.
>
> I use such commands:
>
> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j MARK --set-mark 0x990
> ip rule add fwmark 0x990 table openvpn1
> ip route add default via $P2 dev eth0 table openvpn1
>
> eth0 is FW's not default external NIC.
>
> I have in use very similar iptables rules for my email server (TCP ports) and etc.
> Everything works fine.
> What I'm doing wrong with marking/routing the UDP port?
>
> Regards
>
> Remus
>
--
lark
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
