Re: UDP port 1194 marking/routing problem

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Remus,


On Wed, 6 Apr 2005 14:48:03 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote:

> Wang,
> 
> That solution does not suite me:
> >ip route add default via $DEFAULTGW dev eth1
> >ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0
> Because only UPD 1194 has to be routed via eth0 to OpenVPN server IP, 
> everything else
> to same Ip has to go via eth1.

I see. So you need policy routing. Change your netfilter rule from
POSTROUTING to POSTROUTING.


> 
> 
> ----- Original Message ----- 
> From: "Wang Jian" <lark@xxxxxxxxxxxx>
> To: "Remus" <rmocius@xxxxxxxxxxxxxx>
> Cc: <lartc@xxxxxxxxxxxxxxx>; <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
> Sent: Wednesday, April 06, 2005 1:38 PM
> Subject: Re: [Openvpn-users] Re:  UDP port 1194 marking/routing 
> problem
> 
> 
> > Hi Remus,
> >
> > I means: don't use policy routing, because you can use much simpler
> > solution.
> >
> > Example:
> >
> > ip route add default via $DEFAULTGW dev eth1
> > ip route add xxx.xxx.xxx.xxx/32 via $ANOTHERGW dev eth0
> >
> > The second, send all your traffic to IP xxx.xxx.xxx.xxx via eth0. When
> > your box acts as your intranet's gateway, you can SNAT or MASQUERADE on
> > eth0, like
> >
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE.
> >
> >
> > For you openvpn configuration, you can either bind openvpn to eth0's ip,
> > or let system chooose the IP, in most case the output interface.
> >
> >
> > On Wed, 6 Apr 2005 12:54:53 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote:
> >
> >> Hi Wang,
> >>
> >> We specialy got two Internet connections, one is only for the OpenVPN (it 
> >> is
> >> heavily used) and second for everthing else.
> >> I will give a try to PREROUTING stuff  right away.
> >>
> >> What do mean : But I don't think you need to use MARK to do policy 
> >> routing.
> >> It's a little overkill.
> >>
> >> Do you another suggestion than iptables/MARK?
> >>
> >> Regards
> >>
> >> Remus
> >>
> >>
> >> ----- Original Message ----- 
> >> From: "Wang Jian" <lark@xxxxxxxxxxxx>
> >> To: <lartc@xxxxxxxxxxxxxxx>
> >> Cc: "Remus" <rmocius@xxxxxxxxxxxxxx>; 
> >> <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
> >> Sent: Wednesday, April 06, 2005 12:23 PM
> >> Subject: [Openvpn-users] Re:  UDP port 1194 marking/routing 
> >> problem
> >>
> >>
> >> > Hi Remus,
> >> >
> >> > It seems that
> >> >
> >> > iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
> >> >    --set-mark 0x990
> >> >
> >> > will not take effect. (didn't you typo -A as -D?)
> >> >
> >> > POSTROUTING is looked up after routing decision is made. Because the
> >> > default route is dev eth1, the output device is eth1, -o eth0 will not
> >> > match.
> >> >
> >> > You should use
> >> >
> >> > iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
> >> >    peer> --dport 1194 -j MARK ....
> >> >
> >> > But I don't think you need to use MARK to do policy routing. It's a
> >> > little overkill.
> >> >
> >> > Why not simply route all traffic to your openvpn peer via device eth0?
> >> >
> >> >
> >> > On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> 
> >> > wrote:
> >> >
> >> >>
> >> >> Hi folks,
> >> >>
> >> >> I have OpenVPN (respect for it developers) running on my FW.
> >> >> Is has two external NICs and on internal everything is fine, except
> >> >> I want OpenVPN (UDP port 1194) going not via default route/network
> >> >> interface.
> >> >>
> >> >> I use such commands:
> >> >>
> >> >> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j
> >> >> MARK --set-mark 0x990
> >> >> ip rule add fwmark 0x990 table openvpn1
> >> >> ip route add default via $P2 dev eth0 table openvpn1
> >> >>
> >> >> eth0 is FW's not default external NIC.
> >> >>
> >> >> I have in use very similar iptables rules for my email server (TCP 
> >> >> ports)
> >> >> and etc.
> >> >> Everything works fine.
> >> >> What I'm doing wrong with marking/routing the UDP port?
> >> >>
> >> >> Regards
> >> >>
> >> >> Remus
> >> >>
> >> >
> >> >
> >> >
> >> > -- 
> >> >  lark
> >> >
> >> >
> >> >
> >> > -------------------------------------------------------
> >> > SF email is sponsored by - The IT Product Guide
> >> > Read honest & candid reviews on hundreds of IT Products from real 
> >> > users.
> >> > Discover which products truly live up to the hype. Start reading now.
> >> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> >> > _______________________________________________
> >> > Openvpn-users mailing list
> >> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> >> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> >> >
> >> >
> >>
> >>
> >> _______________________________________________
> >> LARTC mailing list
> >> LARTC@xxxxxxxxxxxxxxx
> >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >
> >
> > -- 
> >  lark
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> >
> > 
> 



-- 
  lark

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux