Hi all,
I kind of encountered a bug with the MASQUERADE target of iptables,
with this setup:
|I N T E R N E T |
| |
|WLAN| |WAN|
| |
|FreeWRT-Box|
eth0.1 (WAN oaficial IP)
eth2 (WLAN-Client 192.168.0.250 IP)
default-gw: 192.168.0.1 (via WLAN, because it has more bandwidth)
And for the lower latency I'd like to route different stuff over my
WAN-Connection (SDSL) with policy routing like this:
# add my both interface IPs to separate tables
ip route add table 100 default via ???.???.???.??? (WAN-IP!)
ip route add table 200 default via 192.168.0.1
# set rule for when to use which table
ip rule add fwmark 1111 table 100
ip rule add fwmark 2222 table 200
# mark packages to bind them to one of the tables:
iptables -t mangle -A OUTPUT -p udp --dport 1194 -j MARK --set-mark 1111
iptables -t mangle -A PREROUTING -i eth0.0 -p tcp --dport 80 -d !192.168.0.0/21
-j MARK --set-mark 2222
# finally I masq my traffic:
iptables -t nat -A POSTROUTING -o eth0.1 -j MASQUERADE
(this is actually done by the default /etc/firewall.conf)
Now the funny part. In this setup the outgoing traffic on eth0.1 to
udp/1194 (OpenVPN) is NOT masqueraded!!!
I don't know if this is a bug related to iptables or the 2.4 kernel
but this only works when I add an additional static SNAT-rule for
the outging device like this:
iptables -t NAT -A POSTROUTING -o eth0.1 -j SNAT --to-source ???.???.???.???
So my question for this is: Did I really find a bug within the
netfilter stack or is there something conceptionally wrong with my
setup?
good night so far,
Markus
_______________________________________________
freewrt-developers mailing list
[email protected]
https://www.freewrt.org/lists/listinfo/freewrt-developers
