|
|
Hi Remus,
It seems that
iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
--set-mark 0x990
will not take effect. (didn't you typo -A as -D?)
POSTROUTING is looked up after routing decision is made. Because the
default route is dev eth1, the output device is eth1, -o eth0 will not
match.
You should use
iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
peer> --dport 1194 -j MARK ....
But I don't think you need to use MARK to do policy routing. It's a
little overkill.
Why not simply route all traffic to your openvpn peer via device eth0?
On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote:
>
> Hi folks,
>
> I have OpenVPN (respect for it developers) running on my FW.
> Is has two external NICs and on internal everything is fine, except
> I want OpenVPN (UDP port 1194) going not via default route/network interface.
>
> I use such commands:
>
> iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j MARK --set-mark 0x990
> ip rule add fwmark 0x990 table openvpn1
> ip route add default via $P2 dev eth0 table openvpn1
>
> eth0 is FW's not default external NIC.
>
> I have in use very similar iptables rules for my email server (TCP ports) and etc.
> Everything works fine.
> What I'm doing wrong with marking/routing the UDP port?
>
> Regards
>
> Remus
>
--
lark
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00071.html on line 229
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00071.html on line 229
|