On Wed, Oct 14, 2015 at 4:42 AM, Hongyi Zhao <hongyi.z...@gmail.com> wrote:
> On Wed, 14 Oct 2015 02:05:38 -0400, Selva Nair wrote: > > > This should work for forwarded packets, but for locally generated > > traffic you will need to mangle them in the OUTPUT chain. > > I've tried with the OUTPUT chain, but still it failed for me to access > google.com via openvpn. > To test, keep it simple -- try with just one IP directly specified in the rule # iptables -t mangle -I OUTPUT -d 8.8.8.8/32 -j MARK --set-mark 200 (to work locally this has to be in the OUTPUT chain -- see below) # ip rule add fwmark 200 table openvpn # ip rule show (make sure there are no rules that may override this one) # ip route flush table openvpn # ip route add default via <VPN-remote-IP-here> dev <vpn-tun-dev-here> table openvpn # ip route list table openvpn (review the route to be sure..) Test the routing with and without this one in place > > The traceroute to 8.8.8.8 showing as follows: > > werner@debian-01:~$ traceroute 8.8.8.8 > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets > 1 * * * > That doesn't say much, does it.. Did traceroute to 8.8.8.8 display the hops before the rule was in place? If yes, at least you know the packets are being routed differently with the rule. > > In addition, from the manpage of iptables-extensions gives the following > notes: > > MARK > [...] > If you plan on doing so, note that the mark > needs to be set in the PREROUTING chain of > the mangle table to affect routing. > The manpage is probably referring to routing of received and forwarded packets, not outgoing packets. As far as I know, PREROUTING chain is traversed by packets coming in from the network, not by locally generated packets. So if this is a router forwarding packets for other machines, yes you need to mark the packets in the PREROUTING chain. But that won't mark any locally generated traffic including your traceroute packets. Selva > > Any hints for my issue? > > Regards > -- > .: Hongyi Zhao [ hongyi.zhao AT gmail.com ] Free as in Freedom :. > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users >
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
