I was trying to change the incoming interface of the packet using iptables MARK and ip route commands. I have tried this approach after going through the weblink belowhttp://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-4.html#ss4.5 which suggests the use of iptable Mark and iproute2 utilities instead of ROUTE target. but could not find any success chaging the incoming interface of the packet in the receiving path. I have an application 'A' which binds to an interface 'intfA' in linux i.e the application sends and receives packets only on via intfA. Sending path In a tunnel based setup, I was able to send packet's out from 'intfA' to 'tap0' using the following iptable commands. iptables -t mangle -A OUTPUT -d 8.9.10.11/32 -j MARK --set-mark 1 ip rule add fwmark 1 priority 9000 table 1 My default routing entry in main table is pointing to 'intfA' In table '1' I have made the default routing table entry point to 'tap0' route add default dev tap0 table 1 I could observe from the kernel dmesg logs that the outgoing interface of the packet changed succesfully from 'intfA' to 'tap0'. In the return path After 'tap0' gets the encrypted packet from tunnel, it decrypts it and injects the plain text packet with destination 'a.b.c.d' into the linux kernel via the 'tap0' interface. So at the kernel prerouting hook, I see the packet coming with IP = 'a.b.c.d' and with incoming 'tap0'. Following iptable rules were used to change the incoming interface iptables -t mangle -A PREROUTING -d a.b.c.d/32 -j MARK --set-mark 2 ip rule add fwmark 2 priority 8000 table 2 In table '2' I have made the default routing table entry point to 'intfA' route add default dev intfA table 2 I tried to log the packets at the PREROUTING hook and the INPUT hook using the following iptable commands. iptables -t mangle -A PREROUTING -d a.b.c.d/32 -j LOG --log-level 0 --log-prefix "VPN PREOUTING: " iptables -t mangle -A INPUT -d a.b.c.d/32 -j LOG --log-level 0 --log-prefix "VPN INPUT: " I was hoping the incoming interface of the packet to be changed from 'tap0' to 'intfA' between the PREROUTING hook and INPUT hook. But surpisingly the interface doesn't change in both the kernel log trace. I could see the incoming packets marked with mark 2 as well. >From the dmesg log's i confirmed that the Incoming interface still remains as 'tap0' after the INPUT hook. I wanted to understand the reason behind this behaviour for the iptables commands I have used. . Not sure if I missed anything in iptables commands I used which is causing this issue. - RV -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
