Hi I want every reply packet belonging to every connection made through tun1 to be send back through tun1 (not being the default gateway tough). (tun1 is P-t-P, so there is no routing nessessary.) I tried the following: # iptables -t mangle -A PREROUTING -i tun1 -p tcp --syn -j CONNMARK --set-mark 71 # iptables -t mangle -A OUTPUT -p tcp -m connmark --mark 71 -j MARK --set-mark 71 # ip rule add from 10.4.0.1 fwmark 71 table 201 # ip route add default dev tun1 via 10.4.0.2 table 201 However, it did not work. I have the feeling, that the fwmark does not match. If I remove "fwmark 71" in the "ip rule add" command, then it is working, but has side effects with the following: # iptables -t nat -A PREROUTING -p TCP -d publicip -j DNAT --to 10.4.0.1 My observations seem to tell me, that ip rule is evaluated BEFORE iptables rules are applied, so the mark is not set yet. But I assume someone else already used connmark and fwmark in conjuction, so there must be a way to do it. Any hints are welcome. Regards, Steffen
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
