fwmark routing not taken
Clash Royale CLAN TAG#URR8PPP
I'm trying to set up kind of "on my demand dynamic routing".
Basically, when I activate a script , I would like it mounts a new interface (tun vpn for example) and define the appropriate firewall and routing rules to route the dedicated traffic.
Here it is just the begining with a simple SSH connection.
Here are my iptables rules:
iptables -A OUTPUT -d X.X.X.X -j MARK --set-mark 2
iptables -A OUTPUT -d X.X.X.X -j ACCEPT
iptables -A INPUT -s -d X.X.X.X -j ACCEPT
Here is my default route in normal operating condition:
[root@localhost ~]# ip route
default via 192.168.0.1 dev enp0s3 proto dhcp metric 20100
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.23 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
And my added routing rule for SSH:
ip route add default via 192.168.0.1 table 3
ip rule add fwmark 2 table 3
ip route flush cache
Check routes:
[root@localhost user]# ip route show table 3
default via 192.168.0.1 dev enp0s3
[root@localhost user]# ip route show table main
default via 192.168.0.1 dev enp0s3 proto dhcp metric 20100
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.23 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
So, my SSH connection is working fine with this setup.
Now, I would like to route all my outbound flows though an other interface, except my SSH connection.
What is do not understand is that when I change the default route, my SSH connection is lost and the routing table 3 does not seem to be taken.
For example:
ip route del default
ip route add default via 10.0.0.1
Following these cmdlines, my SSH connection is completely lost.
Why is the routng table 3 not taken?
ssh iptables route
edited Dec 26 '18 at 14:13
Rui F Ribeiro
39.3k1479131
asked Dec 26 '18 at 13:57
mytrexisnicemytrexisnice
12
add a comment |
I'm trying to set up kind of "on my demand dynamic routing".
Basically, when I activate a script , I would like it mounts a new interface (tun vpn for example) and define the appropriate firewall and routing rules to route the dedicated traffic.
Here it is just the begining with a simple SSH connection.
Here are my iptables rules:
iptables -A OUTPUT -d X.X.X.X -j MARK --set-mark 2
iptables -A OUTPUT -d X.X.X.X -j ACCEPT
iptables -A INPUT -s -d X.X.X.X -j ACCEPT
Here is my default route in normal operating condition:
[root@localhost ~]# ip route
default via 192.168.0.1 dev enp0s3 proto dhcp metric 20100
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.23 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
And my added routing rule for SSH:
ip route add default via 192.168.0.1 table 3
ip rule add fwmark 2 table 3
ip route flush cache
Check routes:
[root@localhost user]# ip route show table 3
default via 192.168.0.1 dev enp0s3
[root@localhost user]# ip route show table main
default via 192.168.0.1 dev enp0s3 proto dhcp metric 20100
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.23 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
So, my SSH connection is working fine with this setup.
Now, I would like to route all my outbound flows though an other interface, except my SSH connection.
What is do not understand is that when I change the default route, my SSH connection is lost and the routing table 3 does not seem to be taken.
For example:
ip route del default
ip route add default via 10.0.0.1
Following these cmdlines, my SSH connection is completely lost.
Why is the routng table 3 not taken?
ssh iptables route
edited Dec 26 '18 at 14:13
Rui F Ribeiro
39.3k1479131
asked Dec 26 '18 at 13:57
mytrexisnicemytrexisnice
12
Typically, routing decisions have already been made when you traverse theOUTPUTchain(s). One exception is theOUTPUTchain of themangletable, where a reroute check is made afterwards. Try applying your fwmark actions in themangletable instead. For reference, see upload.wikimedia.org/wikipedia/commons/3/37/…
– user234931
Jan 2 at 23:33
add a comment |
I'm trying to set up kind of "on my demand dynamic routing".
Basically, when I activate a script , I would like it mounts a new interface (tun vpn for example) and define the appropriate firewall and routing rules to route the dedicated traffic.
Here it is just the begining with a simple SSH connection.
Here are my iptables rules:
iptables -A OUTPUT -d X.X.X.X -j MARK --set-mark 2
iptables -A OUTPUT -d X.X.X.X -j ACCEPT
iptables -A INPUT -s -d X.X.X.X -j ACCEPT
Here is my default route in normal operating condition:
[root@localhost ~]# ip route
default via 192.168.0.1 dev enp0s3 proto dhcp metric 20100
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.23 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
And my added routing rule for SSH:
ip route add default via 192.168.0.1 table 3
ip rule add fwmark 2 table 3
ip route flush cache
Check routes:
[root@localhost user]# ip route show table 3
default via 192.168.0.1 dev enp0s3
[root@localhost user]# ip route show table main
default via 192.168.0.1 dev enp0s3 proto dhcp metric 20100
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.23 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
So, my SSH connection is working fine with this setup.
Now, I would like to route all my outbound flows though an other interface, except my SSH connection.
What is do not understand is that when I change the default route, my SSH connection is lost and the routing table 3 does not seem to be taken.
For example:
ip route del default
ip route add default via 10.0.0.1
Following these cmdlines, my SSH connection is completely lost.
Why is the routng table 3 not taken?
ssh iptables route
edited Dec 26 '18 at 14:13
Rui F Ribeiro
39.3k1479131
asked Dec 26 '18 at 13:57
mytrexisnicemytrexisnice
12
I'm trying to set up kind of "on my demand dynamic routing".
Basically, when I activate a script , I would like it mounts a new interface (tun vpn for example) and define the appropriate firewall and routing rules to route the dedicated traffic.
Here it is just the begining with a simple SSH connection.
Here are my iptables rules:
iptables -A OUTPUT -d X.X.X.X -j MARK --set-mark 2
iptables -A OUTPUT -d X.X.X.X -j ACCEPT
iptables -A INPUT -s -d X.X.X.X -j ACCEPT
Here is my default route in normal operating condition:
[root@localhost ~]# ip route
default via 192.168.0.1 dev enp0s3 proto dhcp metric 20100
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.23 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
And my added routing rule for SSH:
ip route add default via 192.168.0.1 table 3
ip rule add fwmark 2 table 3
ip route flush cache
Check routes:
[root@localhost user]# ip route show table 3
default via 192.168.0.1 dev enp0s3
[root@localhost user]# ip route show table main
default via 192.168.0.1 dev enp0s3 proto dhcp metric 20100
192.168.0.0/24 dev enp0s3 proto kernel scope link src 192.168.0.23 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
So, my SSH connection is working fine with this setup.
Now, I would like to route all my outbound flows though an other interface, except my SSH connection.
What is do not understand is that when I change the default route, my SSH connection is lost and the routing table 3 does not seem to be taken.
For example:
ip route del default
ip route add default via 10.0.0.1
Following these cmdlines, my SSH connection is completely lost.
Why is the routng table 3 not taken?
ssh iptables route
ssh iptables route
edited Dec 26 '18 at 14:13
Rui F Ribeiro
39.3k1479131
asked Dec 26 '18 at 13:57
mytrexisnicemytrexisnice
12
edited Dec 26 '18 at 14:13
Rui F Ribeiro
39.3k1479131
asked Dec 26 '18 at 13:57
mytrexisnicemytrexisnice
12
edited Dec 26 '18 at 14:13
Rui F Ribeiro
39.3k1479131
edited Dec 26 '18 at 14:13
Rui F Ribeiro
39.3k1479131
edited Dec 26 '18 at 14:13
Rui F Ribeiro
39.3k1479131
39.3k1479131
asked Dec 26 '18 at 13:57
mytrexisnicemytrexisnice
12
asked Dec 26 '18 at 13:57
mytrexisnicemytrexisnice
12
asked Dec 26 '18 at 13:57
mytrexisnicemytrexisnice
12
12
Typically, routing decisions have already been made when you traverse theOUTPUTchain(s). One exception is theOUTPUTchain of themangletable, where a reroute check is made afterwards. Try applying your fwmark actions in themangletable instead. For reference, see upload.wikimedia.org/wikipedia/commons/3/37/…
– user234931
Jan 2 at 23:33
add a comment |
Typically, routing decisions have already been made when you traverse theOUTPUTchain(s). One exception is theOUTPUTchain of themangletable, where a reroute check is made afterwards. Try applying your fwmark actions in themangletable instead. For reference, see upload.wikimedia.org/wikipedia/commons/3/37/…
– user234931
Jan 2 at 23:33
Typically, routing decisions have already been made when you traverse the
OUTPUT chain(s). One exception is the OUTPUT chain of the mangle table, where a reroute check is made afterwards. Try applying your fwmark actions in the mangle table instead. For reference, see upload.wikimedia.org/wikipedia/commons/3/37/…– user234931
Jan 2 at 23:33
Typically, routing decisions have already been made when you traverse the
OUTPUT chain(s). One exception is the OUTPUT chain of the mangle table, where a reroute check is made afterwards. Try applying your fwmark actions in the mangle table instead. For reference, see upload.wikimedia.org/wikipedia/commons/3/37/…– user234931
Jan 2 at 23:33
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490989%2ffwmark-routing-not-taken%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f490989%2ffwmark-routing-not-taken%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Typically, routing decisions have already been made when you traverse the
OUTPUTchain(s). One exception is theOUTPUTchain of themangletable, where a reroute check is made afterwards. Try applying your fwmark actions in themangletable instead. For reference, see upload.wikimedia.org/wikipedia/commons/3/37/…– user234931
Jan 2 at 23:33