0

In my OpenWrt box, I want to route only a specific protocol(tcp:1888) to a tun interface only for one PC(192.168.28.2), so I do as following:

ip rule add from 192.168.28.2 dport 1888 lookup 123

ip route add default via 10.8.0.2 dev tun0 table 123

But it does NOT work!

When I check the rule list with ip rule, I get:

0: from all lookup local

32765: from 192.168.28.2 lookup 123

32766: from all lookup main

32767: from all lookup default

I guest that the dport SELECTOR doesn't take effect.

How should I do?

Thanks!!!

Solution: With Nikita Kipriyanov's help, I got it, but the FORWARD chain of mangle table doesn't work, I used the PREROUTING instaed.

Would pls anyone explain why should I use PREROUTING instead of FORWARD of mangle?

Leon
  • 159
  • 7

1 Answers1

2

Add a netfilter mark rule in the FORWARD chain of the mangle table. Then add a routing rule using that mark:

iptables -t mangle -A PREROUTING -s 192.168.28.2 -p tcp --dport 1888 -j MARK --set-mark 0x1/0x1
ip rule add fwmark 0x1/0x1 lookup 123
Nikita Kipriyanov
  • 8,033
  • 1
  • 21
  • 39
  • 1
    Thanks for your help. I have successed, but by using PREROUTING chain of the mangle. the FORWARD chain doesn't work. would you pls explain me why? – Leon Nov 15 '21 at 16:54
  • I was too lazy to evaluate which routing decision we must target. There are two in the packet path: the one after PREROUTING which decides FORWARD or INPUT, and the one after FORWARD or OUTPUT before POSTROUTING, which decides which output interface to egress. I targeted for second routing decision, while it happened we needed to correctly use first one. I updated the answer to reflect your comment. – Nikita Kipriyanov Nov 15 '21 at 18:15