On Tue, Oct 30, 2012 at 05:25:16PM -0600, Jeff Cook wrote: > On 10/30/2012 01:16 PM, Pablo Neira Ayuso wrote: > > On Tue, Oct 30, 2012 at 08:10:34PM +0100, Pablo Neira Ayuso wrote: > >> On Tue, Oct 30, 2012 at 11:21:01AM -0600, Jeff Cook wrote: > >>> Hello. > >>> > >>> I am trying to route packets generated by a specific user out over a > >>> VPN. I have this configuration: > >>> > >>> $ sudo iptables -S -t nat > >>> -P PREROUTING ACCEPT > >>> -P OUTPUT ACCEPT > >>> -P POSTROUTING ACCEPT > >>> -A POSTROUTING -o tun0 -j MASQUERADE > >>> > >>> $ sudo iptables -S -t mangle > >>> -P PREROUTING ACCEPT > >>> -P INPUT ACCEPT > >>> -P FORWARD ACCEPT > >>> -P OUTPUT ACCEPT > >>> -P POSTROUTING ACCEPT > >>> -A OUTPUT -m owner --uid-owner guy -j MARK --set-xmark 0xb/0xffffffff > >>> > >>> $ sudo ip rule show > >>> 0: from all lookup local > >>> 32765: from all fwmark 0xb lookup 11 > >>> 32766: from all lookup main > >>> 32767: from all lookup default > >>> > >>> $ sudo ip route show table 11 > >>> 10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 > >>> 10.8.0.6 dev tun0 scope link > >>> 10.8.0.1 via 10.8.0.5 dev tun0 > >>> 0.0.0.0/1 via 10.8.0.5 dev tun0 > >> ^^^^^^^^^ > >> > >> 23.1.17.194, this doesn't go through tun0 > > > > Sorry, I meant: 23.1.17.194, this goes through tun0. > > > >> 209.68.27.16, this doesn't go through tun0 > >> > >> Address & CIDR => 209.68.27.16 & 128.0.0.0 => 128.0.0.0 > >> > >> Then: 128.0.0.0 != 0.0.0.0, then go to default route, likely to be > >> eth0. > > Thanks very much, I can verify that adding a route for 128.0.0.0/1 to > table 11 fixes things. > > Apologies for asking a naive question, but could you please inform me > where 128.0.0.0/1 comes from and why it's ANDed against external IP > addresses? I've tried to find info on Google about 128.0.0.0 and CIDR > and unfortunately have not been able to find anything thus far that > enlightens me as to why that route is necessary. I'd really like to > understand, so if you spend some time explaining it to me I'd appreciate it. Your mask is wrong. Using CIDR notation 0.0.0.0/1 matches networks from 0.0.0.0 to 127.255.255.255. I'd suggest to add some default route to that table to get everything through tun0 instead of adding 128.0.0.0/1 Regards. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
