Server Fault Asked by user158720 on December 27, 2021
I’m trying to redirect all local connections with destination matchs port 22 to specified tunnel using iptables MARK, but, something is going wrong.
1.1.1.1 my public address
2.2.2.2 tunnel public address
1.2.3.4 my local tunnel address
Here the configs:
# ip rule show
1: from all fwmark 0x14 lookup 20
# ip route show table 20
default via 1.2.3.4 dev tun0
And I have created following rules on iptables:
iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 20
iptables -t mangle -A OUTPUT -s 1.2.3.4 -j MARK --set-mark 20
And when I try to ssh some server(dreamhost in this case) I get:
tcp 6 299 ESTABLISHED src=1.1.1.1 dst=69.163.202.189 sport=37152 dport=22 packets=4 bytes=221 src=69.163.202.189 dst=1.1.1.1 sport=22 dport=37152 packets=2 bytes=133 [ASSURED] mark=0 secmark=0 use=2
Packet is not getting marked and going out through default route, which is 1.1.1.1
I don’t know what I’m doing wrong..
Anyone have any idea??
mangle's PREROUTING is for altering incoming packets before routing and OUTPUT for altering locally-generated packets before routing. Hence PREROUTING is needless (for local connections). But OUTPUT
should have worked, though. You don't need to specify source address in firewall rules usually, since it would be "locally-generated packets" anyway.
And another thing to remember is no-one gonna change source IP just due to you've marked the packet and it would be routed with another route table — you'd need to use NAT explicitly for that. In terms of Linux' iptables it has to be SNAT. And "This target is only valid in the nat table, in the POSTROUTING chain", as the man says. Although I personally prefer its subspecies MASQUERADE
which is more handy for that, cause you don't have to bother with IP-addresses hard coding.
Answered by poige on December 27, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP