How to Add a Routing Rule that Only Matches ‘dport’ in iptables

ip-routingiproute2iptablesopenwrtrules

In my OpenWrt box, I want to route only a specific protocol(tcp:1888) to a tun interface only for one PC(192.168.28.2), so I do as following:

ip rule add from 192.168.28.2 dport 1888 lookup 123

ip route add default via 10.8.0.2 dev tun0 table 123

But it does NOT work!

When I check the rule list with ip rule, I get:

0: from all lookup local

32765: from 192.168.28.2 lookup 123

32766: from all lookup main

32767: from all lookup default

I guest that the dport SELECTOR doesn't take effect.

How should I do?

Thanks!!!

Solution:
With Nikita Kipriyanov's help, I got it, but the FORWARD chain of mangle table doesn't work, I used the PREROUTING instaed.

Would pls anyone explain why should I use PREROUTING instead of FORWARD of mangle?

Best Answer

Add a netfilter mark rule in the FORWARD chain of the mangle table. Then add a routing rule using that mark:

iptables -t mangle -A PREROUTING -s 192.168.28.2 -p tcp --dport 1888 -j MARK --set-mark 0x1/0x1
ip rule add fwmark 0x1/0x1 lookup 123

Related Solutions

Linux – Redirecting IP traffic to tun0 using iptables

Using the same network address on two interfaces is asking for trouble. I'd renumber the tun0 network, then set up NAT to deal with the fallout. With tun0 set up between 192.168.0.1 (local) and 192.168.0.2 (remote):

iptables -t nat -I PREROUTING -d 10.68.195.78 -j DNAT --to-dest 192.168.0.2

This still requires that packets for 10.68.195.78 arrive at this host, so all hosts (or at least those that need to contact the box on the other side) on this network need

ip r a 10.68.195.78 via 10.68.195.23

Alternatively, you can use proxy ARP, but that is generally messy.

In addition, the box on the other side needs to have its default route point to the tunnel so returning packets go the same way; you can also add a SNAT rule in POSTROUTING to make all connections appear to the other box as from the other tunnel endpoint:

iptables -t nat -I POSTROUTING -d 10.68.195.78 -j SNAT --to-source 192.168.0.1

Forward IP packets to tunnel device

I know it has been six years, but in case anyone stumbles here with a similar issue: this sounds like the reverse path filter 'rp_filter' dropping traffic.

From the link:

log rp_filter dropped traffic:

echo 1 >/proc/sys/net/ipv4/conf/(interfacename)/log_martians

disable rp_filter:

echo 0 >/proc/sys/net/ipv4/conf/(interfacename)/rp_filter

Best Answer

Related Solutions

Linux – Redirecting IP traffic to tun0 using iptables

Forward IP packets to tunnel device

Related Topic