route traffic on certain port through certain interface?

networking iptables routing openvpn route
6,800

Routing is at IP layer 3. TCP is at layer 4, so routing alone isn't enough to deal with this.

In short: the interesting traffic has to be tagged with iptables, and tagged packets selected with ip rule's fwmark to use a separate routing table. Then two more fixes have to be applied for the locally initiated/receiving traffic case, which is more difficult than the routed case. All the settings are of course done on the local system.

Routing table 80 (a matching symbolic name can be added in /etc/iproute2/rt_tables but that's not mandatory) and mark 0x80 were "arbitrarily" chosen.

ip route add table 80 192.168.1.0/24 dev eth0 scope link src 192.168.1.56
ip route add table 80 default dev eth0 via 192.168.1.1

Using -I to ensure that the iptables rules aren't appended too late. You should check with your current rules how to reorder that if needed:

iptables -t mangle -N markports
iptables -t mangle -I PREROUTING 1 -j CONNMARK --restore-mark
iptables -t mangle -I OUTPUT 1 -m mark --mark 0 -j markports
iptables -t mangle -I OUTPUT 2 -j CONNMARK --save-mark
iptables -t mangle -A markports -p tcp --dport 80 -j MARK --set-mark 0x80
iptables -t mangle -A markports -p tcp --dport 443 -j MARK --set-mark 0x80

ip rule add fwmark 0x80 lookup 80

This blog: Netfilter Connmark » To Linux and beyond ! gives good informations on CONNMARK.

This should have been working, but actually the wrong default outgoing IP will have been selected at the first routing decision, because the route was about to be through tun0. At the reroute check made because of the mangle/OUTPUT's mark (see this Packet flow in Netfilter and General Networking schematic for clarification), this IP won't change. If the traffic handled was routed instead of being locally initiated, this problem wouldn't happen (using a separate net namespace to ensure this is a solution for services, probably not for a Desktop). So this requires also a layer of MASQUERADE (or SNAT for more complex cases) on top of it:

iptables -t nat -I POSTROUTING 1 -m mark --mark 0x80 -j MASQUERADE

Now that the outgoing source IP is correct, it's still not working: the reverse path filter triggers in the return path for about the same reason: the routing decision made before PREROUTING doesn't know the fwmark for now (despite the previous schematic placing mangle/PREROUTING before the routing decision, that's apparently not the case), thus considers the return traffic packets to be spoofed and drops them early. The eth0 interface's rp_filter has to be put in loose mode for this to be allowed. This might have some (very minor behind NAT) security issues but I found it unavoidable for this non-routed case:

echo 2 > /proc/sys/net/ipv4/conf/eth0/rp_filter

You'll have to find how to set it permanently (eg echo net.ipv4.conf.eth0.rp_filter=2 > /etc/sysctl.d/90-local-loose-mode.conf if nothing else alters it later).

Tested ok using namespaces with similar settings to OP's.

NOTE: DNS requests will still go through the tunnel. Some geolocalized web services might not work as expected.

Share:
6,800

Related videos on Youtube

jmaris
Author by

jmaris

Updated on September 18, 2022

Comments

  • jmaris
    jmaris over 1 year

    I am currently running a system in which I need to be able to send and recieve HTTP and HTTPS traffic directly, however all other traffic must go via a VPN.

    My setup is :

    x2 interfaces : eth0 (local network, behind a router) and tun0 (openvpn client)

    Currently all traffic is routed through my vpn, i was wondering if it were possible to not route http and https traffic (80, 443) through the VPN.

    Here is the routing table when the system and openvpn client have started :

    0.0.0.0/1 via 10.8.13.5 dev tun0 
default via 192.168.1.1 dev eth0 
10.8.13.1 via 10.8.13.5 dev tun0 
10.8.13.5 dev tun0 proto kernel scope link src 10.8.13.6 
128.0.0.0/1 via 10.8.13.5 dev tun0 
176.67.168.144 via 192.168.1.1 dev eth0 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.56 
192.168.1.1 dev eth0 scope link

    I have read through other similar questions however either the answers don't reroute the traffic or just block it.

    Thanks in advance :)

  • A.B
    A.B about 4 years
    newer kernels ( >= 4.17) can have ip rules with tcp or udp selectors (policy routing has now a leg in layer 4). So this could be done without any use of iptables now, but I'm not sure that would give a better result (except maybe with regard to MTU/MSS)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Only routing certain traffic through VPN
Routing subnet to specific routing table with fwmark, direct to ISP and VPN
OpenVPN without NAT
forward packets from one interface to another interface using iptables
How to configure an OpenVPN Client Router
UFW or IPTables on Ubuntu for OpenVPN?
persist port routing from 80 to 8080
OpenVPN connecting but no internet access on Ubuntu 16.04 / 18.04 / 20.04
OpenVPN Client and Server on same machine - Server doesn't allow connections when client is connected
Redirect IP to another IP using iptables