A workaround is to
set the apparent source address explicitly with SNAT instead of
MASQUERADE. However, unlike MASQUERADE, SNAT assumes the output
interface is static and won't clean up the conntrack/NAT table when the
PPP interface goes down, but this is not a problem if the interface
always gets the same address.
I suspected that may be the problem, and I'm lucky because the tunnel
does have the same IP every time, so I'll see what I can do with SNAT.
I can't figure out how to specifically
allow locally generated packets without allowing everything
unconditionally.
What about using MARK in the mangle OUTPUT chain and fwmark in ip rule ?
I tried that, but the fwmark filter for 'ip rule' doesn't appear to work
(or I'm doing something wrong).
If I do this:
iptables -t mangle -I OUTPUT -j MARK --set-mark 0x0001
ip rule add prio 1100 fwmark 0x0001 lookup vpn
ip route flush cache
...then the router can ping things through the tunnel, which is good,
but ... so can every other machine on the network, which is bad.
if I then display the rules, it shows (other rules omitted)
1100: from all lookup vpn
ie, the fwmark condition doesn't show in the display output. I thought
that may just be a display problem when dumping the rules, but given the
fact that every host can ping through the tunnel, it looks like it is
ignoring the fwmark bit, and adding it unconditionally.
I'm running iptables 1.3.5, on kernel 2.6.16.5.