Hi Remus,
It seems that
iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
--set-mark 0x990
will not take effect. (didn't you typo -A as -D?)
POSTROUTING is looked up after routing decision is made. Because the
default route is dev eth1, the output device is eth1, -o eth0 will not
match.
You should use
iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
peer> --dport 1194 -j MARK ....
But I don't think you need to use MARK to do policy routing. It's a
little overkill.
Why not simply route all traffic to your openvpn peer via device eth0?
On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote:
Hi folks,
I have OpenVPN (respect for it developers) running on my FW.
Is has two external NICs and on internal everything is fine, except
I want OpenVPN (UDP port 1194) going not via default route/network
interface.
I use such commands:
iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j
MARK --set-mark 0x990
ip rule add fwmark 0x990 table openvpn1
ip route add default via $P2 dev eth0 table openvpn1
eth0 is FW's not default external NIC.
I have in use very similar iptables rules for my email server (TCP ports)
and etc.
Everything works fine.
What I'm doing wrong with marking/routing the UDP port?
Regards
Remus
--
lark
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users