IPTables, route specific port through VPN

Question

I'm running my own mail server at home on a dynamic IP. Dynamic IPs are often blacklisted, so I currently send out mails through my provider's relay. I want to change that to sending mail directly, and for that purpose have a vserver somewhere with a fixed IP. The vserver is connected to my local server via openvpn. I would like to use the openvpn tunnel for routing (only) outgoing mail to "the world". All other traffic shall take the normal route.

The vserver (public IP on eth0) runs an openvpn server, IP 10.20.0.1. The mail server (local IP 192.168.168.100) runs the openvpn client, IP 10.20.0.6.

mail server IP routing with openvpn established:

# route
default         192.168.168.1   0.0.0.0         UG    0      0        0 eth0
10.20.0.1       10.9.0.5        255.255.255.255 UGH   0      0        0 tun1
10.20.0.5       *               255.255.255.255 UH    0      0        0 tun1
192.168.168.0   *               255.255.255.0   U     0      0        0 eth0

From my research, I understand that the right way to go should be to mark outgoing mail packets and route them to the vserver. So I tried that on the mail server:

echo 201 mail.out >>/etc/iproute2/rt_tables
ip rule add fwmark 1 table mail.out
iptables -A PREROUTING -t mangle -p tcp --dport 25 -j MARK --set-mark 1
ip route add default via 10.9.0.5 dev tun1 table mail.out

(I will add port 465 later.)

In addition, I have enabled masquerading and IP routing on the vserver.

However, it appears that all outgoing mail traffic is still going out the normal way. Using tcpdump on the vserver, I can't see any trace of outgoing connections to port 25. So connections must still be going direct, outside of the VPN. What have I been missing?

Why not just setup your application to use the external mailserver instead of messing with iptables to do it? — Frederik, Jul 16 '15 at 08:44
Could you name MTA/SMTP server you use locally? It may be simpler/safer to redirect connection from the MTA server. — AnFi, Jul 16 '15 at 09:18
Using a SMTP relay is easier to set up and maintain than using custom routes. — sebix, Jul 16 '15 at 09:31
IIRC `PREROUTING` is not traversed by traffics originated from this host itself. In either case, it's easier to simply use `ipproto tcp dport 25` (and optionally, `iif lo`) instead of `fwmark` matching in the ip rule, given that you are not using an ancient kernel and/or iproute2. — Tom Yan, Mar 19 '22 at 12:14

score 1 · Answer 1 · answered Mar 19 '22 at 11:24

1

You will need to 'mark' packets in the iptables rule.

The answer of this question from Lekensteyn actually coveres it exactly even though the question is different: iptables - Target to route packet to specific interface?

answered Mar 19 '22 at 11:24

Blindleistung

121
5

I am using this to bypass the fact that my ISP blocks any DNS not going to their own (broken) DNS servers. – Blindleistung Mar 19 '22 at 11:26

IPTables, route specific port through VPN

1 Answers1