Hoe to stop mangled output packets from using default route?Default mark for packets using iptablesWhy are...
How do I remove hundreds of automatically added network printers?
Is it legal in the UK for politicians to lie to the public for political gain?
Asking bank to reduce APR instead of increasing credit limit
Do marked cards or loaded dice have any mechanical benefit?
Incremental Ranges!
How can I offer a test ride while selling a bike?
Old black and white movie: glowing black rocks slowly turn you into stone upon touch
How should I push back against my job assigning "homework"?
What does War Machine's "Canopy! Canopy!" line mean in "Avengers: Endgame"?
Does Peach's float negate shorthop knockback multipliers?
Is the capacitor drawn or wired wrongly?
How can Iron Man's suit withstand this?
What is the Process for Re-certifying Flight Hardware?
What is a simple, physical situation where complex numbers emerge naturally?
How to decline physical affection from a child whose parents are pressuring them?
Is it a problem that pull requests are approved without any comments
Hygienic footwear for prehensile feet?
Show sparse matrices like chessboards
What if you don't bring your credit card or debit for incidentals?
How is it possible for this NPC to be alive during the Curse of Strahd adventure?
How to apply the "glow" effect to a rectangle with tcolorbox?
Will dual-learning in a glider make my airplane learning safer?
Does it cost a spell slot to cast a spell from a Ring of Spell Storing?
How to provide realism without making readers think grimdark
Hoe to stop mangled output packets from using default route?
Default mark for packets using iptablesWhy are packets not moving forward?iptables redirect traffic from VPN interface to next interfaceHow do I route bittorrent through a second interface?Packets not forwarded due to second routing tableIPTable mangle rule to mark traffic for route tableHow do I route all traffic on a machine over an openvpn server while the machine itself runs an openvpn server?How to route specific VPN traffic via specific VPN client?iptables network address translation from lan to vpnHow can the IP masquerading forwarding through a VPN gateway be configured to access the WAN router the gateway is attached to?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have a router. It has a few interfaces. One of them is the VPN called vpn0, one is the default route to the physical interface, called out0 and an input interface in0.
Packets from in0 with destination port 993 are never to be placed on out0. I do this by marking the packets thus:
iptables -t mangle -A PREROUTING -i in0 -p tcp --dport 993 -j MASK --set-mark 100
iptables -t mangle -A PREROUTING -i in0 -p tcp --dport 993 -j CONNMARK --save-mark
and to disable forwarding on out0 I do the following:
iptables -A FORWARD -i in0 ! -o vpn0 --match-mark 100 -j DROP -m conntrack --ctstate NEW
The problem I am having is with output packets that are coming from host. To mangle packets out vpn0 I have these rules:
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump MARK --set-mark 100
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump CONNMARK --save-mark
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump RETURN
Which works rather well. The only occurs when vpn0 isn't working. I tried adding the rule:
iptables -A OUTPUT --protocol tcp --dport 993 -o out0 --match mark --mark 100 --jump DROP -m conntrack --ctstate NEW
But this drop packets that would got out the VPN. I checked this by changed the DROP to a LOG and the out interface is out0, not vpn0.
What gives?
iptables
asked 1 hour ago
Slobodan SlovotichSlobodan Slovotich
61
New contributor
Slobodan Slovotich is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have a router. It has a few interfaces. One of them is the VPN called vpn0, one is the default route to the physical interface, called out0 and an input interface in0.
Packets from in0 with destination port 993 are never to be placed on out0. I do this by marking the packets thus:
iptables -t mangle -A PREROUTING -i in0 -p tcp --dport 993 -j MASK --set-mark 100
iptables -t mangle -A PREROUTING -i in0 -p tcp --dport 993 -j CONNMARK --save-mark
and to disable forwarding on out0 I do the following:
iptables -A FORWARD -i in0 ! -o vpn0 --match-mark 100 -j DROP -m conntrack --ctstate NEW
The problem I am having is with output packets that are coming from host. To mangle packets out vpn0 I have these rules:
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump MARK --set-mark 100
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump CONNMARK --save-mark
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump RETURN
Which works rather well. The only occurs when vpn0 isn't working. I tried adding the rule:
iptables -A OUTPUT --protocol tcp --dport 993 -o out0 --match mark --mark 100 --jump DROP -m conntrack --ctstate NEW
But this drop packets that would got out the VPN. I checked this by changed the DROP to a LOG and the out interface is out0, not vpn0.
What gives?
iptables
asked 1 hour ago
Slobodan SlovotichSlobodan Slovotich
61
New contributor
Slobodan Slovotich is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have a router. It has a few interfaces. One of them is the VPN called vpn0, one is the default route to the physical interface, called out0 and an input interface in0.
Packets from in0 with destination port 993 are never to be placed on out0. I do this by marking the packets thus:
iptables -t mangle -A PREROUTING -i in0 -p tcp --dport 993 -j MASK --set-mark 100
iptables -t mangle -A PREROUTING -i in0 -p tcp --dport 993 -j CONNMARK --save-mark
and to disable forwarding on out0 I do the following:
iptables -A FORWARD -i in0 ! -o vpn0 --match-mark 100 -j DROP -m conntrack --ctstate NEW
The problem I am having is with output packets that are coming from host. To mangle packets out vpn0 I have these rules:
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump MARK --set-mark 100
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump CONNMARK --save-mark
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump RETURN
Which works rather well. The only occurs when vpn0 isn't working. I tried adding the rule:
iptables -A OUTPUT --protocol tcp --dport 993 -o out0 --match mark --mark 100 --jump DROP -m conntrack --ctstate NEW
But this drop packets that would got out the VPN. I checked this by changed the DROP to a LOG and the out interface is out0, not vpn0.
What gives?
iptables
asked 1 hour ago
Slobodan SlovotichSlobodan Slovotich
61
New contributor
Slobodan Slovotich is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have a router. It has a few interfaces. One of them is the VPN called vpn0, one is the default route to the physical interface, called out0 and an input interface in0.
Packets from in0 with destination port 993 are never to be placed on out0. I do this by marking the packets thus:
iptables -t mangle -A PREROUTING -i in0 -p tcp --dport 993 -j MASK --set-mark 100
iptables -t mangle -A PREROUTING -i in0 -p tcp --dport 993 -j CONNMARK --save-mark
and to disable forwarding on out0 I do the following:
iptables -A FORWARD -i in0 ! -o vpn0 --match-mark 100 -j DROP -m conntrack --ctstate NEW
The problem I am having is with output packets that are coming from host. To mangle packets out vpn0 I have these rules:
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump MARK --set-mark 100
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump CONNMARK --save-mark
iptables -t mangle -A OUTPUT --protocol tcp --dport 993 --jump RETURN
Which works rather well. The only occurs when vpn0 isn't working. I tried adding the rule:
iptables -A OUTPUT --protocol tcp --dport 993 -o out0 --match mark --mark 100 --jump DROP -m conntrack --ctstate NEW
But this drop packets that would got out the VPN. I checked this by changed the DROP to a LOG and the out interface is out0, not vpn0.
What gives?
iptables
iptables
asked 1 hour ago
Slobodan SlovotichSlobodan Slovotich
61
New contributor
Slobodan Slovotich is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
Slobodan SlovotichSlobodan Slovotich
61
New contributor
Slobodan Slovotich is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
Slobodan SlovotichSlobodan Slovotich
61
New contributor
Slobodan Slovotich is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
Slobodan SlovotichSlobodan Slovotich
61
asked 1 hour ago
Slobodan SlovotichSlobodan Slovotich
61
61
New contributor
Slobodan Slovotich is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Slobodan Slovotich is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Slobodan Slovotich is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f522092%2fhoe-to-stop-mangled-output-packets-from-using-default-route%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Slobodan Slovotich is a new contributor. Be nice, and check out our Code of Conduct.
Slobodan Slovotich is a new contributor. Be nice, and check out our Code of Conduct.
Slobodan Slovotich is a new contributor. Be nice, and check out our Code of Conduct.
Slobodan Slovotich is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f522092%2fhoe-to-stop-mangled-output-packets-from-using-default-route%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
