Hello,
Ian Batterbee a écrit :
[...]
So to achieve this, I set up another routing table, added a name for it
into /etc/iproute2/rt_tables, added an "ip rule from [HostA] lookup
vpn", and in the script that brings the tunnel up, routes are added for
my work's netblocks via the ppp link to the vpn route table. This much
all works.
In the same script, I enable masquerading on the ppp interface. This
appears not to work, because if I sniff from a machine on the other side
of the tunnel (ie, at work), packets emerging from it still have their
original IP addresses from my local subnet on them
This is a rather known issue. Iptables's MASQUERADE may not work (may it
work ?) when combined with source address based routing policy. If I
understood correctly the reason is the MASQUERADE code uses a kernel
output routing function to determine the apparent source address, but
this function does not use the original source address (why would it, as
its purpose is to find out the source address to use ?), so the ip rule
does not trigger and the main routing table is used. A workaround is to
set the apparent source address explicitly with SNAT instead of
MASQUERADE. However, unlike MASQUERADE, SNAT assumes the output
interface is static and won't clean up the conntrack/NAT table when the
PPP interface goes down, but this is not a problem if the interface
always gets the same address.
To make things more complicated, not only is Host A allowed to route via
the tunnel, but packets sourced from the linux router itself should also
be allowed to go that way (or to put it another way, everything but host
B and Host C should be allowed to use the tunnel).
The trouble is, while I can allow packets from the linux router by
adding: "ip rule add prior 50 lookup vpn" (which obviously allows
everything to use the tunnel), I can't figure out how to specifically
allow locally generated packets without allowing everything
unconditionally.
What about using MARK in the mangle OUTPUT chain and fwmark in ip rule ?
