Redirect SSH traffic through GRE tunnel

Question

I'm trying to redirect all local connections with destination matchs port 22 to specified tunnel using iptables MARK, but, something is going wrong.

1.1.1.1 my public address
2.2.2.2 tunnel public address
1.2.3.4 my local tunnel address

Here the configs:

# ip rule show 
1:      from all fwmark 0x14 lookup 20 

# ip route show table 20 
default via 1.2.3.4 dev tun0

And I have created following rules on iptables:

iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 20 
iptables -t mangle -A OUTPUT -s 1.2.3.4 -j MARK --set-mark 20

And when I try to ssh some server(dreamhost in this case) I get:

tcp      6 299 ESTABLISHED src=1.1.1.1 dst=69.163.202.189 sport=37152 dport=22 packets=4 bytes=221 src=69.163.202.189 dst=1.1.1.1 sport=22 dport=37152 packets=2 bytes=133 [ASSURED] mark=0 secmark=0 use=2

Packet is not getting marked and going out through default route, which is 1.1.1.1

I don't know what I'm doing wrong..

Anyone have any idea??

Answer 1

mangle's PREROUTING is for altering incoming packets before routing and OUTPUT for altering locally-generated packets before routing. Hence PREROUTING is needless (for local connections). But OUTPUT should have worked, though. You don't need to specify source address in firewall rules usually, since it would be "locally-generated packets" anyway.

And another thing to remember is no-one gonna change source IP just due to you've marked the packet and it would be routed with another route table — you'd need to use NAT explicitly for that. In terms of Linux' iptables it has to be SNAT. And "This target is only valid in the nat table, in the POSTROUTING chain", as the man says. Although I personally prefer its subspecies MASQUERADE which is more handy for that, cause you don't have to bother with IP-addresses hard coding.